Exposure Analytics diagnostics
The Exposure analytics diagnostics dashboard gives administrators in Splunk Enterprise Security visibility into the configuration, health, and operational activity of the application. It consolidates audit reporting, inventory data exporting, and system health monitoring in one place, so administrators can verify that the app is configured correctly, track who has made changes, and diagnose performance or compliance issues before they affect analysis.
As an admin, you can monitor Exposure Analytics by auditing the operational health dashboard. To view the dashboard, select Analytics and then Exposure analytics and then Exposure analytics diagnostics.
The operational health dashboard includes information on data source compliance, internal lookup health, processing search times, KV store details, and more. You can use this data to report on the health of Exposure Analytics. For example, you might find that the processing time for a search is particularly high. A high processing time might indicate a high search load on the Splunk search head.
The following table defines the health statuses for processing searches:
| Health status | Description |
|---|---|
| Good | The run-time is under 3 minutes. |
| OK | The run time is 3–4 minutes. |
| Elevated | The run time is 4–5 minutes. |
| Critical | The run time is over 5 minutes. |
In the Data source health table, a data source is Noncompliant if the lastdetect_sec exceeds the compliance_window. A compliant result of N/A indicates that no compliance window has been set for the data source.
You can monitor, export, and share audit data in Exposure Analytics from several available audit reports. You might want to review audit reports, for example, before and after you upgrade. To access audit data, select Admin and then Audit.
The following table outlines the available audit reports and what you can do with each one:
| Audit report | Description |
|---|---|
| Configuration audit | The Configuration audit page reports on local configurations, which include changes that override the original configuration, and additional configurations, which include added changes that don't override the original configuration. The result column displays either a value of different or identical, which describes how the item compares to the original configuration. To find a particular configuration change, you can filter by type, file, and more. |
| Configuration healthcheck | You can use the Configuration healthcheck page to monitor for errors with configured metrics and data sources. You can also monitor current knowledge objects, such as default user accounts, and compare them against the expected knowledge objects. |
| Sharing audit | Some objects, such as dashboards or saved searches, in Splunk Asset and Risk Intelligence are shared only within the app, while others are shared globally with other apps. You can review the sharing status of objects on the Sharing audit page, and you can filter objects by type, such as lookups or macros. |
| Data source audit | Select from different inventories to find which data sources contribute to each field. You can choose to display by count or percentage. For example, the CMDB data source might contribute 200 records to the asset_class field. If the total count of records for that field is 800, then the percentage display for CMDB would be 25%. |