Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Review and edit existing data sources in Splunk UBA

Review the data sources to make sure that data ingestion is proceeding as expected.

View job execution times in Splunk Enterprise

Splunk UBA performs micro-batched searches in one-minute intervals against Splunk Enterprise to pull in events. Review the search job execution times to make sure that they are not exceeding one minute.

  1. In Splunk Enterprise, select Activity > Jobs to open the Jobs page.
  2. Filter the jobs by searching for the usernames of the Splunk UBA data sources.
  3. Examine the value in the Runtime column to make sure that the job is taking less than one minute to execute.
  4. Use the Search job inspector to drill down and view more information if needed.

See About jobs and job management in the Splunk Enterprise Search Manual for more information about the Jobs page and using the Search job inspector to view detailed information about a job.

Review data sources in Splunk UBA

Select Manage > Data Sources to view existing data sources and the number of events added from each data source. Key indicators reveal statistics about your data. Click a key indicator to see more detail. Review the name, type, format, status, number of events, and the date added for each data source.

Data sources in Splunk UBA can have the following statuses:

Status What the status means about the data source
Processing Data sources begin with this status when you create them in Splunk UBA.
Complete File-based data sources, batch jobs, and scheduled jobs have this status when data ingestion is complete.
Stopped Data sources have this status in the following situations:
  • A Stop button is clicked for a data source.
  • JobManager is restarted. This will temporarily stop all live jobs, and can also mark unresponsive or dead jobs as Stopped.
  • When ingesting live data, the data source can go into Stopped mode when data ingestion in test mode is completed.
Failed Data sources have this status when JobManager detects any errors, such as Splunk server connectivity issues, or a data source cannot be created. The job is marked as Failed with an error message displayed in Splunk UBA.
Scheduled Scheduled jobs, such as Human Resources (HR) data or Threat Intel, have this status before they are run.

Live data sources can only be in Processing, Stopped, or Failed state.

Edit data sources in Splunk UBA

You can edit an existing data source in Splunk UBA. For example, you can change the name of a data source or update its connection information, time range, or SPL. A data source can be edited regardless of its status.

Perform the following steps to edit a data source:

  1. Click on the data source you want to edit. You can review detailed information about the data source such as its URL, time range, and SPL. This can help you verify the information you need to update.
  2. Click Edit.
  3. Make the desired changes and navigate through the Edit Data Source wizard until you reach the end.
  4. Click OK.

Changes to a data source are not picked up by Splunk UBA until the data source is restarted.

  • If the data source is currently running, click Stop to stop the data source, then click Start to restart it.
  • If the data source is currently not running, click Start to start the data source.
Last modified on 18 October, 2019
PREVIOUS
Monitor the quality of data sent from the Splunk platform
  NEXT
Validate data availability

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters