Add data sources to Splunk UBA in test mode
Add data sources to Splunk UBA in test mode to validate that Splunk UBA is importing the data sources successfully and accurately. Test mode is most useful when validating data sent to Splunk UBA from other Splunk software, such as Splunk Enterprise or Splunk Enterprise Security.
Test mode does not work in the following situations:
- File-based data sources such as event files
- Human Resources (HR) data, because HR data does not contain events
- Assets data, because assets data does not contain events
- Do not clone a test mode data source. Instead, after you validate that the test mode data is satisfactory, create a new data source to add the desired data.
Test mode results with Kafka ingestion verifies the following:
- The validity of the SPL
- The events returned from the Splunk platform and how they are parsed
- The views obtained form the parsed events
Test mode with Kafka data ingestion doesn't verify whether or not the indexer is writing to the Splunk UBA Kafka topic.
Add data sources in test mode
Test mode processes events for validity with the event parser but does not process the events for anomalies. Test mode imports the first 10,000 events or 5 minutes worth of events from a data source, whichever happens first. You cannot modify the time constraint.
- In Splunk UBA, select Manage > Data Sources.
- Click New Data Source.
- Select a data source format.
- Fill out the required fields for the data source.
- Click Next.
- Leave the check box for Test Mode selected.
- Click OK.
Review the results of data source validation
After data source test mode completes or stops, review the results of test mode validation. Allow five minutes or more for the results of data source test mode to appear. Test mode validation results do not appear for data sources in distributed mode.
- Click the data source name in the list of data sources.
- Review the Test Mode Views Validation to compare the number of processed events with the valid events for each view type.
- Click the parsed events icon () to review sample parsed events for errors in the event fields identified by the parser. Example validation errors include events that are missing required information and fields.
The events processed per second (EPS) does not show data during test mode.
Make changes to data sources as needed
Based on the results of the data source validation, make changes as needed.
- Change the data source query that you are using to get events from the Splunk platform or Splunk ES to make sure that the data source query contains required information.
- Make sure that all necessary fields are populated and properly mapped.
Click Start in Test Mode at any time to re-test event parsing after you make changes.
Start the data source in production mode
Once Splunk UBA parses the events from the data source correctly, click Start in the data source details page to start processing and parsing the events for anomalies.
Add file-based data sources to Splunk UBA | Filter events analyzed by Splunk UBA for anomalies |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!