Splunk® User Behavior Analytics Monitoring App

Splunk UBA Monitoring App

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Send Splunk UBA logs to a custom index on the Splunk platform

You can specify a custom index to use instead of potentially overloading the default _internal index. Once the Splunk UBA logs are ingested by the Splunk platform, they can be used by the Splunk UBA Monitoring App.

Send Splunk UBA logs to a custom index for new Splunk UBA installations

Perform the following tasks to send Splunk UBA logs to a custom index on the Splunk platform:

  1. Begin by Contacting Splunk Support to request the Splunk license for ingesting Splunk UBA logs. See Obtain a Splunk license for ingesting Splunk UBA logs in Install and Configure Splunk User Behavior Analytics.
  2. Perform the following tasks on the Splunk UBA master node:
    1. Add the splunk.forwarder.server.index.name property to the /etc/caspida/local/conf/uba-site.properties file and set it to the name of The Splunk UBA index. For example:
      If you specify an index name that does not already exist, create a new event index. See Create custom indexes in the Splunk Enterprise Managing Indexers and Clusters of Indexers manual.
    2. Synchronize the cluster in distributed deployments. Run the following command:
      /opt/caspida/bin/Caspida sync-cluster  /etc/caspida/local/conf
    3. Run the following command to switch the index for all forwarders from the default _internal index to the new index, such as ubaindex in our example:
      /opt/caspida/bin/Caspida switch-splunk-index
  3. On the Splunk search head with the Splunk UBA Monitoring App installed, modify the search macro uba_index to point to the new index.
    1. From Splunk web, select Settings > Advanced search.
    2. Click Add new in the Search Macros field.
    3. Select Splunk_UBA_Monitor as the Destination App.
    4. Specify uba_index as the Name of the macro.
    5. Specify the name of the new index in the Definition field. For example:

      If you want to keep the data in the existing _internal index along with the new index, use the following syntax:

      (index IN (_internal, ubaindex))
    6. Click Save.

Perform additional setup on the Splunk platform when upgrading the Splunk UBA Monitoring App

If you are upgrading the Splunk UBA Monitoring App on the Splunk platform to the latest version, you will see a window indicating additional setup is required to complete the upgrade. Perform the following tasks:

  1. Click Set up now to set up the new version of the Splunk UBA Monitoring App.
  2. Update the macro for the Splunk UBA index. The default is (index=_internal). To add a custom index called ubaindex, change the macro to the following:
    (index=_internal OR index=ubaindex)
    Keep _internal so that all existing data prior to the upgrade is preserved for continuity.
  3. Click Save.
Last modified on 22 October, 2020
Enable Splunk UBA to forward data to the Splunk platform
Send all logs to the Splunk platform

This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.1, 1.1.2, 1.1.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters