Splunk® User Behavior Analytics

Use Splunk User Behavior Analytics

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

See all users on the user table

The Users Table provides a view of all users and accounts in your network. Select Explore > Users to view the table. By default, the table shows only users and accounts with anomalous activity in your network. Use the filter options to view All Users instead.

This screen image shows the Users Table page. The elements on this page are described in the surrounding text.

The table shows the user's name or account's login ID, whether or not their HR record is known or unknown by Splunk UBA, associated anomalies, associated threats, the external and insider risk percentiles of the user or account, the date and time when the account was last updated, and a risk score. Click a row to View user information for the selected user or account.

Users are based on HR data and can have multiple user accounts associated with them, visible on the User Accounts page.

UBA combines Human Resources (HR) data with Active Directory (AD) data to define users. You need HR data and AD data to see both users and accounts. Without HR data, only accounts display.

See Why Splunk UBA requires HR data for more information.

Last modified on 26 November, 2022
Use event drilldown to review an anomaly's raw events
See all devices on the devices table

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4,, 5.0.5,, 5.1.0,, 5.2.0, 5.3.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters