Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Add raw events from the Splunk platform to Splunk UBA

You can add data to Splunk UBA that is not CIM-compliant but is from a supported data source type. Perform the following steps to view the data source types supported by Splunk UBA or refer to subsequent table:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Review the data source types on the Data Source Type page. The supported data source types that can be added to Splunk UBA are listed on this page.
Data Source Type Specific source
Events Data Events File
User Attribution HR File

Splunk HR Data

SIEM Connectors Splunk

Splunk ES Notables

Cloud Services Box

Dropbox

Device Attribution Assets File

Splunk Assets

Hadoop Events Files on HDFS
Threat Data UBA Threat Feed

Consider mapping this data to the appropriate CIM data model, using the method described in Add CIM-compliant data to Splunk UBA from the Splunk platform.

You can add data from multiple time zones using the same method. By default, the connector.splunk.use.time property is set to true to allow data from multiple time zones. For more information about time zones and events in the Splunk platform, see Specify time zones for timestamps in Splunk Enterprise Getting Data In.

To add data that is not CIM-compliant or not from a supported data source type, contact Splunk Professional Services.

Add data from one source type in the Splunk platform to Splunk UBA

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Select Splunk as the data source type and click Next.
  4. Specify a name for the data source, such as Splunk. The data source name must be alphanumeric, with no spaces or special characters.
  5. Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port. For example, https://splunksearchhead.splunk.com:8089. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer.
  6. Type the user name and password for the Splunk platform account.
  7. Select a Connector Type of Splunk Raw Events and click Next.
  8. Select a time range.
    • To continuously retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
    • To retrieve for a specific time window, select Live and Time Window and specify a time period. For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
    • To add historical data from the Splunk platform, select Date Range and select a calendar date range. Only events within the specified calendar window are retrieved. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
  9. Click Next.
  10. Click Source Types to view the source types from your Splunk platform data.
    Splunk UBA will try to form a connection with the Splunk platform and find source types across all default indexes. If no source types appear, you may have a firewall rule preventing you from being able to query the Splunk platform. You must be able to connect to the Splunk platform and see at least one data source type before you continue.
  11. Select one data source type and click Next.
  12. Select Single Format.
  13. Select the format from the drop-down list of formats.
  14. Click Next.
  15. To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
  16. Click OK.

Add data from multiple source types in the Splunk platform to Splunk UBA

Follow this procedure to add multiple data source types from the Splunk platform to Splunk UBA:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Select Splunk as the data source type and click Next.
  4. Specify a name for the data source, such as Splunk. The data source name must be alphanumeric, with no spaces or special characters.
  5. Type a connection URL that matches the URL for your Splunk platform or Enterprise Security search head and management port. For example, https://splunksearchhead.splunk.com:8089. If you have search head clustering configured and a load balancer is available, you can specify the load balancer host name to avoid a single point failure. Ensure that port 8089 is accessible on the load balancer.
  6. Type the user name and password for the Splunk platform account.
  7. Select a Connector Type of Splunk Raw Events and click Next.
  8. Select a time range.
    • To continuously retrieve data using time-based micro batch queries, select Live and All time. See How data gets into Splunk UBA.
    • To retrieve for a specific time window, select Live and Time Window and specify a time period. For example, specify 8h 30s to retrieve data for the past 8 hours and 30 seconds. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
    • To add historical data from the Splunk platform, select Date Range and select a calendar date range. Only events within the specified calendar window are retrieved. This is a one-time search and is performed when the data source is added to Splunk UBA. Micro-batch queries are not used for this search.
  9. Click Next.
  10. Click Source Types to view the source types from your Splunk platform data.
    Splunk UBA will try to form a connection with the Splunk platform and find source types across all default indexes. If no source types appear, you may have a firewall rule preventing you from being able to query the Splunk platform. You must be able to connect to the Splunk platform and see at least one data source type before you continue.
  11. Select one data source type and click Next.
  12. Select Multiple Formats.
  13. Click Edit Splunk Types Mapping.
  14. Review the list of existing mappings for the data source types you want to add.
    If your data source type is not listed, click Add Mapping and type the Splunk source type in the Splunk Type text box.

    Do not remove any of the existing mappings, as they may be used by other data sources in your system.

  15. Select the UBA Format that matches each data source type from the drop-down list of formats. Specify the Splunk Type in all capital letters.
  16. Click OK to save the data source type mapping.
  17. Click Next.
  18. To add the data source in test mode, leave the check box selected. See Add data sources to Splunk UBA in test mode.
  19. Click OK.
Last modified on 22 April, 2024
Add CIM-compliant data from the Splunk platform to Splunk UBA   Add custom data to Splunk UBA using the generic data source

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters