Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

Edit or delete custom models

You can edit or delete custom models in Splunk UBA.

The logged-in user must have the role of Content_Developer to edit or delete custom models.

Edit a custom model

Edit an existing custom model by performing the following tasks:

  1. In Splunk UBA, select System > Models.
  2. Click Custom Models.
  3. Hover over the name of the model you want to edit, click the hamburger (The edit model icon) icon and select Edit.
  4. Navigate through the Edit Custom Model wizard and make the desired changes. The screen are the same as the ones described in Create a new custom model.
  5. Click OK.

Editing an active model makes it inactive, even if you do not make any changes. You can trigger or re-activate the model as needed.

Delete a custom model

Delete an existing custom model by performing the following tasks:

  1. In Splunk UBA, select System > Models.
  2. Click Custom Models.
  3. Hover over the name of the model you want to edit, click the hamburger (The edit model icon) icon and select Delete.
  4. Click OK to confirm that you want to delete this model.

When a custom model is deleted from the system, the following content is also deleted:

  • All anomalies raised by the model regardless of their status as active or in test mode
  • All threats generated by the anomalies raised by the model
Last modified on 01 March, 2024
Trigger, activate, or deactivate your custom models   Edit anomaly scoring rules

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters