Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

Splunk Enterprise Security also uses FullStory to collect experiential user journey information with the user personally identifiable information redacted.

Splunk collects usage data to improve the design, usability, and experience of the product. Customers may opt-out of sharing AI data including, but not limited to, chats, responses, context, and feedback. To opt out of sharing this AI data, see Opt out of data sharing for the AI Assistant in Splunk Enterprise Security.

What data is collected

Splunk Enterprise Security version 8.4 collects the following basic usage information. This page includes new telemetry components introduced in version 8.4. Splunk Enterprise Security still collects components introduced in earlier versions. Use the version selector to see data collection documentation from earlier versions.

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

Component Description Example
team-queue-created Indicates that a team queue was created and it reports the total number of queues There were 3 team-based queues and we create one with title "Four". We capture:

JSON 
{
   "count": 4,
   "title": "Four",
}
team-queue-changed Indicates that a team queue was updated and it reports the total number of queues We change the name of one of the team based queue from "Queue A" to "Queue B". We capture

JSON 
{
   "count": 4,
   "title": "Queue B",
}
team-queue-selected Indicates that a team queue was selected on Analyst Queue We have 2 queues "Queue1" & "Queue2" and we select one of them. We capture:

JSON 
{
  "isTeamQueueSelected": true
}
team-queue-role-added Indicates that a roles were added to a team queue (captures all roles added as an array) There were 3 roles, and roles demoRole and mc_analyst were added. We capture:

JSON 
{
  "count": 5,
  "title": "queueName"
}
team-queue-role-removed Indicates that a roles were removed from a team queue (Captures all roles removed as an array There were 5 roles and roles demoRole and mc_analyst were removed. We capture:

JSON 
{
  "count": 3,
  "title": "queueName"
}
team-queue-rule-created Indicates that a rule was made created and it reports the total number of rules created in the team queue conditions We had 3 rules for a particular queue and we add one rule to it. We track:

JSON 
{
  "rule_count": 4,
  "title": "QueueName",
  "queueId": "qid",
  "changeCount": 1
}
team-queue-rule-changed Indicates that a rule was made modified and it reports the total number of rules in the team queue conditions We had 3 rules for a particular queue and we add filters in one rule to it. We track:

JSON 
{
  "rule_count": 3,
  "title": "QueueName",
  "queueId": "qid",
  "changeCount": 1
}
team-queue-rule-removed Indicates that a rule was made removed and it reports the total number of rules in the team queue conditions We had 3 rules for a particular queue and we delete one rule from it. We track:

JSON 
{
  "rule_count": 2,
  "title": "QueueName",
  "queueId": "qid",
  "changeCount": 1
}
team-queue-manual-move Indicates when an item or items are being moved We move 100 items from Queue A to Queue B. We track:

JSON 
{
  "isTeamQueue": true // as destination is team based queue
  "itemsSelected": 100
}

Then we move 100 items from Queue B to default Queue. We track:

JSON 
{
  "isTeamQueue": false // as destination is team based queue
  "itemsSelected": 100
}
team-queue-priority-changed Indicates that the priorities of the queues was modified (which affects the rule execution) We had queues order as [ A, B ,C] and we change order as [ C, B, A]. We track:

JSON 
{
  "count": 2
}
team-queue-rule-execution Indicates that a finding was sent to a queue
add-event-to-investigation, workflow-action-clicked Measures click volume from ES search page to the add-event workflow
JSON 
{
  "appName": "enterprise-security",
  "component": "add-event-to-investigation",
  "data": {
    "action": "workflow-action-clicked",
    "source": "search-page"
  }
}
add-event-error Indicates that there was an error returned from the API call when user tried to add an event to the investigation
JSON 
{
  "appName": "MissionControl",
  "component": "add-event-to-investigation",
  "data": {
    "action": "add-event-success",
    "source": "add-event-to-investigation-page"
  }
}
add-event-success Indicates that user was able to successfully add an event to an investigation
JSON 
{
  "appName": "MissionControl",
  "component": "add-event-to-investigation",
  "data": {
    "action": "add-event-success",
    "source": "add-event-to-investigation-page"
  }
}
add-event-exception Aims to detect client-side exceptions thrown when user tried to add event to investigation
JSON 
{
  "appName": "MissionControl",
  "component": "add-event-to-investigation",
  "data": {
    "action": "add-event-exception",
    "source": "investigation-search-tab",
    "error": "Network request failed"
  }
}
finding-modal-investigation-option The selectedOption of NEW or EXISTING button once checkboxed
JSON 
{
  "appName": "enterprise-security",
  "component": "finding-modal-investigation-option",
  "data": {
    "selectedOption": "NEW"
  }
}
finding-modal-investigation-selected The investigation id of selected item for investigation
JSON 
{
  "appName": "enterprise-security",
  "component": "finding-modal-investigation-selected",
  "data": {
    "investigationId": "2378"
  }
}
finding-modal-investigation-type-change Defined in settings, will be defaulted to default type
JSON 
{
  "appName": "enterprise-security",
  "component": "finding-modal-investigation-type-change",
  "data": {
    "investigationType": "default"
  }
}
finding-modal-finding-created A summary of the findings created, whether or not it has investigation as well
JSON 
{
  "appName": "enterprise-security",
  "component": "finding-modal-finding-created",
  "data": {
    "hasInvestigation": false,
    "investigationOption": 'none',
    securityDomain: 'endpoint',
    hasCustomFields: ''
  }
}
finding-modal-error This will error if finding creation fails
JSON 
{
  "appName": "enterprise-security",
  "component": "finding-modal-error",
  "errorInfo": 'Finding creation failed'
}
create-new-investigation-modal The summary of new investigation created
JSON 
{
  "appName": "enterprise-security",
  "component": "create-new-investigation-modal",
  "data": {
    "investigationType": "Endpoint",
    "hasCustomFields": ''
  }
}
investigation-modal-created Contains the current queue of which investigation is created
JSON 
{
  "appName": "enterprise-security",
  "component": "investigation-modal-created",
  "data": {
    "investigationType": "Endpoint",
    "hasQueue": ''
  }
}
investigation-modal-error This will error out if investigation creation failed
JSON 
{
  "appName": "enterprise-security",
  "component": "investigation-modal-error",
  "errorInfo": 'Investigation creation failed'
}
toggledAIAssistantAvailability Tracks metric around when user toggles the AI assistant on/off
JSON 
{
  "appName": "enterprise-security",
  "component": "toggledAIAssistantAvailability",
  "data": {
    "previousState": true,
    "newState": false,
    "timestamp": "2026-01-23T09:42:31.008Z",
    "userRoles": ["ess_analyst"]
  }
}
non-skewable-detections-table Tracks metric around how many detections are converted to skewable by user in non skewable detections table
JSON 
{
  "appName": "enterprise-security",
  "component": "non-skewable-detections-table",
  "data": {
    "action": "convert-cron-to-skewable",
    "number_of_detections": 5
  }
}
allow-skew-cron-schedule Tracks if user converts detection to skewable on detection editor
JSON 
{
  "appName": "enterprise-security",
  "component": "allow-skew-cron-schedule",
  "data": {
    "action": "convert-cron-to-skewable",
  }
}

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.