Link analysis, which is a data analysis approach used to discover relationships and connections between data elements and entities, has many use cases including cybersecurity, fraud analytics, crime investigations, and finance. In my last post, "Advanced Link Analysis: Part 1 - Solving the Challenge of Information Density," I covered how advanced link analysis can be used to solve the challenge of information density. I also introduced the Sigbay Link Analysis app to help you accelerate uncover actionable insights faster in Splunk Enterprise and Splunk Cloud.
In this post, I'll show you a step-by-step process to building the dashboard with Sigbay Link Analysis visualization app from scratch.
There are few key differences between how Sigbay Link Analysis viz functions compare to other Splunk visualization applications:
1. Sigbay Link Analysis app does not use predefined SPL query like other Splunk visualization tools. In its current implementation, visualization is powered by the data model, defined within settings and optional timeframe defined within a custom filter.
2. It is powered by an Accelerated Data Model (ADM) defined within settings. It does not pull data from raw indexes.
3. When a user interacts with the visualization, such as clicking on the nodes, it dynamically generates custom TSTATS queries to ADM. ADM allows for quick evaluation of important metrics and statistics for every node. Dynamic query generation gives the user greater flexibility to focus on investigating the data and discovery of insights instead of struggling with custom queries and the need to constantly update the dashboard.
4. Visualization contains custom filter area where you can define the time range, such as:
earliest=$timeframe.earliest$ latest=$timeframe.latest$
This allows the user to pass time tokens and other tokens to define initial data coverage for visualization.
5. Visualization populates few tokens, such as:
$token_la_filter$
This token contains a fragment of SPL filter query representing nodes that user is currently interacting with. This is suitable for driving other panels within the same dashboard, depending on values clicked in Link Analysis.
To implement the first dashboard with link analysis visualization, we will follow this process:
I've recorded the full demo video which you can follow to accomplish all steps here:
Here is the copy of the anonymized dataset (web_traffic2.csv) used for this demo.
To follow the step-by-step guidance in the video above, make sure that you already have Splunk Cloud and the dataset example downloaded locally, as well as the Sigbay Link Analysis app installed (if you don’t, go to “Manage Apps” -> [Install App from File]).
This will create a blank app as a placeholder for us to build the dashboards.
This Data Model Acceleration process will begin and it may take up to an hour depending on the speed of your server. You can monitor this process until 100% completion by clicking "Update" link at data model manager panel here:
The easiest way to build a dashboard with Sigbay Link Analysis app is to start with a simple, dummy SPL search and then select an appropriate visualization and apply configuration:
Fill the configuration form as shown on the image.
For "Fields" input, enter:
Country|src_ip|username_tried|logged_in|accept_language|http_method|status|http_user_agent|uri_path
For "Aggregates" input, enter:
count as Events|sum(bytes_in) as BytesIn|dc(username_tried) as Usernames
Fields of interest are separated with a "|" character. Aggregate functions of interest can also be separated with a “|” character.
Once you filled in the dialog - click "Save As" -> "Dashboard Panel", give dashboard name - "Web Traffic Analysis" and press [Save]:
Once the dashboard is created - click [View Dashboard] button.
That's how the dashboard should look like:
At this point, you may slightly customize the dashboard by pressing the [Edit] button. I would prefer to make visualization slightly bigger (taller) and switch the dashboard theme to "dark" mode:
We may also start clicking on nodes or selecting multiple nodes (Ctrl+Click on node will select it) and executing more complex filters.
Here we selected Country=Russia and status=500 - to investigate all traffic originating from Russia and causing 500 errors:
Now that we build the fully functioning dashboard you may start doing investigations.
Full video is here:
Here are short examples:
Analysing all successful logins (where logged_in flag = 1):
Selecting all traffic that caused error codes >=400. Link analysis allows to use math expressions to select numerical nodes efficiently:
Analyzing all traffic accessing administrative accounts. Link analysis allows to dynamically select matching nodes by typing partial value in "global search" input within the sidebar:
Feel free to contact me with any questions at the link in my profile.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.