Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Make changes to your HR data

Splunk UBA updates HR data daily. Because HR data is used to assign users and IDs to events processed from all other data sources, you cannot make changes to HR data once you start adding data sources. Changing the HR data configuration after data sources are added causes duplicate user IDs to appear in Splunk UBA. If you need to modify your HR data configuration after you have ingested events from other data sources, you must do the following:

  1. Remove all metadata from Splunk UBA.
  2. Ingest and verify your HR data again.
  3. Ingest events from your data sources again.
Last modified on 29 October, 2020
Validate HR data configuration before adding other data sources
Identify assets in your environment

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4,, 5.0.5,, 5.1.0,, 5.2.0, 5.3.0

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters