Create a new data cube
Create a new data cube to use with a new custom rare events or time series model. If you are cloning an existing model, the new model uses the same cube as the original model. You can't select a new cube when cloning an existing model.
You can create a maximum of four custom cubes in Splunk UBA, and each cube can have a maximum of six dimensions and three measures.
Only users with the role of Content_Developer
can add custom cubes.
Perform the following tasks to create a new cube:
- In Splunk UBA, select System > Cubes.
- Click New Cube.
- Define the cube properties.
- Configure the cube attributes.
- Configure the aggregation filter.
- Click OK.
Saving a custom cube can take up to 10 minutes, depending on the configuration of the cube.
Define the cube properties
Define the cube properties:
- Provide a name, description, and version number. The version number must be an integer.
- Configure a retention interval. By default, data cubes retain 30 days worth of data.
- Configure the data aggregation interval. By default, data cubes collect data every 24 hours (1 day).
- Select the view type from the drop-down list in the View Type field to filter events based on the selected view. See Examine existing cubes to get more information about Splunk UBA data views for more information about Splunk UBA views and cubes. Select Null if you know that the attributes you want to track do not belong to a view.
- Click Next.
Configure the cube attributes
Configure the data and format of the data you want to store in the cube.
The following attributes are required, depending on the purpose for which you are creating the new cube:
- If you are creating a cube to use with a new rare events model, the user ID is required and must be tracked.
- If you are creating a cube to use with a new time series model, you can choose to track either the user ID or device ID. You must track one of them.
See Store generic events in Splunk UBA data cubes for information about how to populate a custom cube with the user ID or device ID.
Perform the following tasks to configure the cube attributes:
- Provide a name and description for each attribute. The name must be alphanumeric containing at least one letter, no special characters other than underscore (_), and no white spaces.
- Select the category of the attribute, either dimension or measure. See Example cube and descriptions for more information about dimensions and measures.
- Specify the attribute key. See Examine existing cubes to get more information about Splunk UBA data views for information about how to find view attributes and attribute keys.
- Specify the function of the attribute.
- If the attribute is a dimension, the function must be
None
. - If the attribute is a measure, select one of the following functions:
Value Description COUNT
Increment the count by 1 each time the value is not empty or null. COUNT_TRUE
Increment the count by 1 each time a boolean value is TRUE. SUM
Compute the sum of the attribute's value.
- If the attribute is a dimension, the function must be
- Enter a description for the attribute.
- (Optional) Verify that this is the order you want to the attributes to be in. If there is more than one attribute, you can change the order by disabling the Preserve Order toggle and dragging the attributes to the desired arrangement. Changing the attribute order is not allowed once the cube is created.
- Click Next.
The attribute tables created in the Splunk UBA web interface are stored in the Impala data tables. Do not delete or edit the tables using the CLI. Edit the data cube using the Splunk UBA web interface if you need to make changes.
Configure the aggregation filter
Filter the data you want to store in the cube to make sure that only proper events are stored. For example, suppose you have a cube that is tracking attributes from Windows security events for a specific use case. In some cases, an event might be missing an event ID. Do not store these types of events in the cube as the lack of an event ID means the events will not be useful later on when parsed by a model. Enter a filter such as the following to make sure that events without an event ID are not stored:
eventId != null
Multiple filters are processed using a logical AND relationship among the filters.
Understanding Splunk UBA data cubes | View, edit, delete, or restore a data cube |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1
Feedback submitted, thanks!