Splunk Enterprise Security
Highlighted

Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Path Finder

Is there a way to update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk for Enterprise Security?

For example, Asset Investigator has the Default collection, the Protocol Intelligence, and then Custom for the user to pick. I'd like to either add a third collection or update the default to include an additional swimlane.

Highlighted

Re: Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Splunk Employee
Splunk Employee

You can create new swim lanes just like most anything else...by creating a search. Except, in the context of Enterprise Security, you have to use the Content Management framework in order to create a new Swim Lane Search. Once you create that you will have a new swim lane that you can add to your custom grouping. You can find more information here:

http://docs.splunk.com/Documentation/ES/5.1.0/User/Eventinvestigator#Edit_the_swim_lanes

And here:

http://docs.splunk.com/Documentation/ES/5.1.0/Admin/Createswimlanesearches

Hope that helps!

View solution in original post

0 Karma
Highlighted

Re: Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Path Finder

I've created a custom swimlane for my Enterprise Security users. I was hoping to add it to the Default collection so they see it by default when they access the dashboard.

I'm trying to avoid having users have to configure the dashboard.

0 Karma
Highlighted

Re: Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Splunk Employee
Splunk Employee

There is a way. You'll need to edit the "correlationsearches.conf" file, find the stanza in the file that is associated with the Swim Lane Search you created and then under that Swim Lane Search's stanza add the line display.page.asset_investigator.0.collection_name = Default line. Just make sure you choose the proper investigator for the search - either asset or identity - in the line you add to the stanza. You'll also need display.page.asset_investigator.0.order = 1 if its not already there. That ought to get the newly created swim lane search added to the default collection.

Highlighted

Re: Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Splunk Employee
Splunk Employee

Slight correction....this should be in savedsearches.conf now....not correlationsearches.conf. correlationsearches.conf got deprecated in ES 4.6. So, if you are working in something older than 4.6, use correlationsearches.conf....4.6 and newer, use savedsearches.conf.

0 Karma
Highlighted

Re: Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Path Finder

That did it. As a note, I had to copy 4 lines total to my swimlane from an existing swimlane:

display.page.assetinvestigator.0.collectionname = Default
display.page.assetinvestigator.0.order = 7
is
visible = false
request.uidispatchapp = SplunkEnterpriseSecuritySuite
alert.track = 0

0 Karma
Highlighted

Re: Can you update the default collection or create a custom collection of swimlanes for the investigator dashboards for Splunk Enterprise Security?

Splunk Employee
Splunk Employee

Fantastic! Glad that did it for you! And thanks for sharing the final results that worked best for you!

0 Karma