Splunk® User Behavior Analytics

Get Data into Splunk User Behavior Analytics

Add file-based data sources to Splunk UBA

Add new file-based data sources to Splunk UBA. You can use file-based data sources for testing on a small scale.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Click New Data Source.
  3. Select the type of data source you want to add.
  4. Click Next.
  5. Enter a Name to identify the data source in Splunk UBA.
  6. Upload the file.
  7. Click OK.

Because file-based data sources represent static data, you can write a script to create new files periodically, and then load this data into Splunk UBA.

When ingesting file-based events, Splunk UBA extracts the timestamp from events. In most cases, file-based events do not have a time zone associated with the events, so Splunk UBA uses UTC as the default time zone. If you do not want to use UTC as the time zone, perform the following tasks:

  1. Log in to the management node of your Splunk UBA deployment as the caspida user.
  2. Edit the /etc/caspida/local/conf/uba-site.properties file and add the parser.global.input_timezone property. For example, to set the property to Pacific Standard Time (Los Angeles):
    parser.global.input_timezone=America/Los_Angeles
  3. Synchronize the cluster if you have a distributed deployment:
    /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
  4. Stop and start The Splunk UBA containers:
    /opt/caspida/bin/Caspida stop-containers
    /opt/caspida/bin/Caspida start-containers
    
Last modified on 04 March, 2021
Get data into Splunk UBA   Add data sources to Splunk UBA in test mode

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1, 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters