Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Add data sources to Splunk UBA in test mode

Add data sources to Splunk UBA in test mode to validate that Splunk UBA is importing the data sources successfully and accurately. Test mode is most useful when validating data sent to Splunk UBA from other Splunk software, such as Splunk Enterprise or Splunk Enterprise Security.

Test mode does not work in the following situations:

  • File-based data sources such as event files
  • Human Resources (HR) data, because HR data does not contain events
  • Assets data, because assets data does not contain events
  • Do not clone a test mode data source. Instead, after you validate that the test mode data is satisfactory, create a new data source to add the desired data.

Test mode results with Kafka ingestion verifies the following:

  • The validity of the SPL
  • The events returned from the Splunk platform and how they are parsed
  • The views obtained form the parsed events

Test mode with Kafka data ingestion doesn't verify whether or not the indexer is writing to the Splunk UBA Kafka topic.

Add data sources in test mode

Test mode processes events for validity with the event parser but does not process the events for anomalies. Test mode imports the first 10,000 events or 5 minutes worth of events from a data source, whichever happens first. You cannot modify the time constraint.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Select a data source format.
  4. Fill out the required fields for the data source.
  5. Click Next.
  6. Leave the check box for Test Mode selected.
  7. Click OK.

Review the results of data source validation

After data source test mode completes or stops, review the results of test mode validation. Allow five minutes or more for the results of data source test mode to appear. Test mode validation results do not appear for data sources in distributed mode.

  1. Click the data source name in the list of data sources.
  2. Review the Test Mode Views Validation to compare the number of processed events with the valid events for each view type.
    This screen image shows the data source page for an example data source called SplunkEnterprise. Data from this data source was ingested in test mode. The Test Mode Views Validation section shows a table with the following columns: View Type, Processed Events, and Valid Events.
  3. Click the parsed events icon (the parsed events icon) to review sample parsed events for errors in the event fields identified by the parser. Example validation errors include events that are missing required information and fields.

The events processed per second (EPS) does not show data during test mode.

Make changes to data sources as needed

Based on the results of the data source validation, make changes as needed.

  • Change the data source query that you are using to get events from the Splunk platform or Splunk ES to make sure that the data source query contains required information.
  • Make sure that all necessary fields are populated and properly mapped.

Click Start in Test Mode at any time to re-test event parsing after you make changes.

Start the data source in production mode

Once Splunk UBA parses the events from the data source correctly, click Start in the data source details page to start processing and parsing the events for anomalies.

Last modified on 24 February, 2021
Add file-based data sources to Splunk UBA   Filter events analyzed by Splunk UBA for anomalies

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters