Splunk Enterprise Security

Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

AndySplunks
Communicator

Is there a way to update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk for Enterprise Security?

For example, Asset Investigator has the Default collection, the Protocol Intelligence, and then Custom for the user to pick. I'd like to either add a third collection or update the default to include an additional swimlane.

1 Solution

pdaigle_splunk
Splunk Employee
Splunk Employee

You can create new swim lanes just like most anything else...by creating a search. Except, in the context of Enterprise Security, you have to use the Content Management framework in order to create a new Swim Lane Search. Once you create that you will have a new swim lane that you can add to your custom grouping. You can find more information here:

http://docs.splunk.com/Documentation/ES/5.1.0/User/Eventinvestigator#Edit_the_swim_lanes

And here:

http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Createswimlanesearches

Hope that helps!

View solution in original post

0 Karma

pdaigle_splunk
Splunk Employee
Splunk Employee

You can create new swim lanes just like most anything else...by creating a search. Except, in the context of Enterprise Security, you have to use the Content Management framework in order to create a new Swim Lane Search. Once you create that you will have a new swim lane that you can add to your custom grouping. You can find more information here:

http://docs.splunk.com/Documentation/ES/5.1.0/User/Eventinvestigator#Edit_the_swim_lanes

And here:

http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Createswimlanesearches

Hope that helps!

0 Karma

AndySplunks
Communicator

I've created a custom swimlane for my Enterprise Security users. I was hoping to add it to the Default collection so they see it by default when they access the dashboard.

I'm trying to avoid having users have to configure the dashboard.

0 Karma

pdaigle_splunk
Splunk Employee
Splunk Employee

There is a way. You'll need to edit the "correlationsearches.conf" file, find the stanza in the file that is associated with the Swim Lane Search you created and then under that Swim Lane Search's stanza add the line display.page.asset_investigator.0.collection_name = Default line. Just make sure you choose the proper investigator for the search - either asset or identity - in the line you add to the stanza. You'll also need display.page.asset_investigator.0.order = 1 if its not already there. That ought to get the newly created swim lane search added to the default collection.

pdaigle_splunk
Splunk Employee
Splunk Employee

Slight correction....this should be in savedsearches.conf now....not correlationsearches.conf. correlationsearches.conf got deprecated in ES 4.6. So, if you are working in something older than 4.6, use correlationsearches.conf....4.6 and newer, use savedsearches.conf.

0 Karma

AndySplunks
Communicator

That did it. As a note, I had to copy 4 lines total to my swimlane from an existing swimlane:

display.page.asset_investigator.0.collection_name = Default
display.page.asset_investigator.0.order = 7
is_visible = false
request.ui_dispatch_app = SplunkEnterpriseSecuritySuite
alert.track = 0

0 Karma

pdaigle_splunk
Splunk Employee
Splunk Employee

Fantastic! Glad that did it for you! And thanks for sharing the final results that worked best for you!

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...