Splunk® User Behavior Analytics

Develop Custom Content in Splunk User Behavior Analytics

Create a new data cube

Create a new data cube to use with a new custom rare events or time series model. If you are cloning an existing model, the new model uses the same cube as the original model. You can't select a new cube when cloning an existing model.

You can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures.

Only users with the role of Content_Developer can add custom cubes.

Perform the following tasks to create a new cube:

  1. In Splunk UBA, select System > Cubes.
  2. Click New Cube.
  3. Define the cube properties.
  4. Configure the cube attributes.
  5. Configure the aggregation filter.
  6. Click OK.

Saving a custom cube can take up to 10 minutes, depending on the configuration of the cube.

Define the cube properties

Define the cube properties:

  1. Provide a name, description, and version number. The version number must be an integer.
  2. Configure a retention interval. By default, data cubes retain 30 days worth of data.
  3. Configure the data aggregation interval. By default, data cubes collect data every 24 hours (1 day).
  4. Select the view type from the drop-down list in the View Type field to filter events based on the selected view. See Examine existing cubes to get more information about Splunk UBA data views for more information about Splunk UBA views and cubes. Select Null if you know that the attributes you want to track do not belong to a view.
  5. Click Next.

Configure the cube attributes

Configure the data and format of the data you want to store in the cube.

The following attributes are required, depending on the purpose for which you are creating the new cube:

  • If you are creating a cube to use with a new rare events model, the user ID is required and must be tracked.
  • If you are creating a cube to use with a new time series model, you can choose to track either the user ID or device ID. You must track one of them.

See Store generic events in Splunk UBA data cubes for information about how to populate a custom cube with the user ID or device ID.

Perform the following tasks to configure the cube attributes:

  1. Provide a name and description for each attribute. The name must be alphanumeric containing at least one letter, no special characters other than underscore (_), and no white spaces.
  2. Select the category of the attribute, either dimension or measure. See Example cube and descriptions for more information about dimensions and measures.
  3. Specify the attribute key. See Examine existing cubes to get more information about Splunk UBA data views for information about how to find view attributes and attribute keys.
  4. Specify the function of the attribute.
    • If the attribute is a dimension, the function must be None.
    • If the attribute is a measure, select one of the following functions:
      Value Description
      COUNT Increment the count by 1 each time the value is not empty or null.
      COUNT_TRUE Increment the count by 1 each time a boolean value is TRUE.
      SUM Compute the sum of the attribute's value.
  5. Enter a description for the attribute.
  6. (Optional) Verify that this is the order you want to the attributes to be in. If there is more than one attribute, you can change the order by disabling the Preserve Order toggle and dragging the attributes to the desired arrangement. Changing the attribute order is not allowed once the cube is created.
  7. Click Next.

The attribute tables created in the Splunk UBA web interface are stored in the Impala data tables. Do not delete or edit the tables using the CLI. Edit the data cube using the Splunk UBA web interface if you need to make changes.

Configure the aggregation filter

Filter the data you want to store in the cube to make sure that only proper events are stored. For example, suppose you have a cube that is tracking attributes from Windows security events for a specific use case. In some cases, an event might be missing an event ID. Do not store these types of events in the cube as the lack of an event ID means the events will not be useful later on when parsed by a model. Enter a filter such as the following to make sure that events without an event ID are not stored:

eventId != null

Multiple filters are processed using a logical AND relationship among the filters.

Last modified on 01 March, 2024
Understanding Splunk UBA data cubes   View, edit, delete, or restore a data cube

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters