Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

New custom models in test mode

New custom models get created in test mode. After you have created a custom model, you can trigger the model to make it run one time, or change the model to active mode which makes it available to Splunk UBA components. See Trigger, activate, or deactivate your custom models.

Only users with the role of Content_Developer can view test mode anomalies.

The anomalies generated by models in test mode are also in test mode. Anomalies generated in test mode can only be viewed by users with content developer privileges, and are not made available to any Splunk UBA components.

Test mode anomalies have the following restrictions:

  • Test mode anomalies are not counted towards the total number of anomalies in Splunk UBA.
  • Test mode anomalies may be included in a threat, but do not factor into the threat's score or if the threat is generated. A threat and its score are only affected by live anomalies in the system.
  • Test mode anomalies are not sent to Splunk Enterprise Security (ES). Threats sent to Splunk ES as notable events do not contain references to test mode anomalies.

Anomalies generated by active mode models behave and are used by Splunk UBA in the same manner as anomalies generated by existing live streaming or batch models.

View test mode anomalies

Perform the following tasks to view test mode anomalies:

  1. In Splunk UBA, click Anomalies on the home page, or select Explore > Anomalies.
  2. Select Actions > View Test Mode Anomalies.
Last modified on 13 December, 2023
Create a custom time series model by cloning an existing model   Trigger, activate, or deactivate your custom models

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters