Share data usage in Splunk Enterprise Security

When Splunk Enterprise Security is deployed on Splunk Enterprise, the Splunk platform sends anonymized usage data to Splunk Inc. ("Splunk") to help improve Splunk Enterprise Security in future releases. For information about how to opt in or out, and how the data is collected, stored, and governed, see Share data in Splunk Enterprise.

How data is collected

Splunk Enterprise Security uses saved searches to collect anonymous usage data. These searches run in the background regardless of whether or not you opt-in to send usage data to Splunk, and do not have any significant impact on performance.

Splunk Enterprise Security also uses FullStory to collect experiential user journey information with the user personally identifiable information redacted.

Splunk collects usage data to improve the design, usability, and experience of the product. Customers may opt-out of sharing AI data including, but not limited to, chats, responses, context, and feedback. To opt out of sharing this AI data, see Opt out of data sharing for the AI Assistant in Splunk Enterprise Security.

What data is collected

Splunk Enterprise Security version 8.3 collects the following basic usage information. This page includes new telemetry components introduced in version 8.3. Splunk Enterprise Security still collects components introduced in earlier versions. Use the version selector to see data collection documentation from earlier versions.

For more information on telemetry information collected by Splunk SOAR, see Share data from Splunk SOAR (Cloud).

ComponentDescriptionExample
app.UEBAContent.DeploymentInfoGeneral information about UEBA CMP deploument. 
{ 
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.DeploymentInfo
   data: { [-]
     monitored_devices: 10
     monitored_users: 50
   }
   deploymentID: e0cc3c50-1421-524d-a1cf-22fa7f1678c9
   eventID: 82FB15E6-9839-404A-8B3E-00E28BE00A38
   executionID: E72C1C29-D16F-4331-8DD6-1E2501EF8E5A
   optInRequired: 3
   original_event_id: cc2ca97a1869a7000c85e5cbac456b858d42c5e25d61dc97bbd877fc3c364bbf
   original_timestamp: 1760584207
   timestamp: 1760584207
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.SearchExecutionInformation about UEBA Seraches execution times 
{ 
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.SearchExecution
   data: { [-]
     avg_run_time: 0.56
     count: 22
     search_alias: UEBA - AD Device Access Summarization - Summary Gen
   }
   deploymentID: 2fba8ab1-b4e0-586c-805b-670e371263b1
   eventID: 87675FB5-2CEA-484B-B2ED-D495DB1BB8A5
   executionID: 7992A96B-61EA-4BC2-9290-C363B60E78A5
   optInRequired: 3
   original_event_id: 9401f4a826820d8aba471513f0cfcddaf7ba21149923954232fcf4f292ec175a
   original_timestamp: 1760584203
   timestamp: 1760584203
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.DetectionStatusMetrics related to detection execution 
{
  app: search
  component: app.UEBAContent.DetectionStatus
     data: {
        content_provider: cmp
        correlation_search_name: UEBA - Rare Device Login By Windows User - Rule distinct_entity_count: 2
        enabled_status: Enabled 
        entities_count: 82
        findings_count: 2
        latest_run_time: 2025-10-14 09:48:04 UTC
        next_scheduled_time: 2025-10-15 05:00:00 UTC
}
    deploymentID: d7adc549-486a-552f-9758-aa8058656fbd eventID: DBE581BB-ACC2-4F0A-AFCF-EAB034ABBEBA
    executionID: 42E66F61-E2C5-411A-9813-6A4936291E5E
    optInRequired: 3
    splunkVersion: 9.3.3
    timestamp: 1760437392
    type: event
    userID: c68246bdd481dcd97886882354eabb18f7eb72ebe95800dd041503e0899db302
visibility: [
}
app.UEBAContent.FailedSearchesMetrics related to failed UEBA seraches. 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.FailedSearches
   data: { [-]
     count: 2
     savedsearch_name: UEBA - AD Rare Microsoft Windows Device Access - Scoring
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 19168A80-1A09-4F21-BA75-BCC1938E2A85
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: 3264ef3b88886d7522f7ca5e8f2d55a2eb26558d9f01deced93d1cf50250aa44
   original_timestamp: 1760670604
   timestamp: 1760670604
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.SkippedSearchesMetrics related to skipped UEBA seraches. 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.SkippedSearches
   data: { [-]
     count: 5
     savedsearch_name: UEBA - AD Rare Microsoft Windows Device Access - Scoring
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 19168A80-1A09-4F21-BA75-BCC1938E2A85
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: 3264ef3b88886d7522f7ca5e8f2d55a2eb26558d9f01deced93d1cf50250aa44
   original_timestamp: 1760670604
   timestamp: 1760670604
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.IndexStatsBySourceIndex performance statistics. 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.IndexStatsBySource
   data: { [-]
     event_count: 888
     events_count_last_24h: 0
     name: unusual_login_authentication_per_user_feature_login
     size_mb: 0.04
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 17574F29-36B7-42B3-AAD6-F81258566D13
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: e558cfd39ca58dc7fc55472d7d08921f9e3bfad3eec293e9f0fb78cfef0e49b7
   original_timestamp: 1760670606
   timestamp: 1760670606
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.KvStatsPerformance statistcs related to KV Store collections. 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.KvStats
   data: { [-]
     collection_name: brute_force_authentication_device_user_map
     record_count: 266
     size_kb:1123
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: 7FD30E9C-964E-4FB3-86C0-30D306AE283B
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: 3b502c5a60b3c3c9842a55666b1d4a03e14c8a31d29fbc8e89366fff452adc4a
   original_timestamp: 1760670605
   timestamp: 1760670605
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.IndexStatsIndex performance statistics. 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.IndexStats
   data: { [-]
     event_count: 10823170
     name: ueba_summaries
     size_mb: 488.515625
   }
   deploymentID: 63fd904f-0986-51ca-a4fa-cfefe3822b99
   eventID: BC5E8952-9AFF-4A1D-A22D-0A0BABF1DD22
   executionID: 2865F436-0285-41DB-B3AC-8AA526DC4498
   optInRequired: 3
   original_event_id: a5165eccc82f04f8c4fbd67a38a87c69b6dc5d5494e9a18fb58152255c449ae2
   original_timestamp: 1760670604
   timestamp: 1760670604
   type: aggregate
   visibility: [ [+]
   ]
}
app.UEBAContent.DataAvailabilityInformation on data availability for UEBA detections. 
{ [-]
   app: DA-ESS-UEBAContent
   component: app.UEBAContent.DataAvailability
   data: { [-]
     fields_availability: { [-]
       EventCode: 100
       derived_LoginSourceDeviceName: 100
       derived_LoginTargetDeviceName: 0
       derived_loginSourceDeviceId: 100
       derived_loginTargetDeviceId: 0
       derived_originDeviceId: 100
       derived_rawSourceAddress: 0
       derived_rawTargetAddress: 100
       derived_sourceDomain: 0
      derived_targetAccountName: 100
       derived_targetDomain: 100
       logonProcess: 100
       logonType: 100
       processName: 100
       returnCode: 100
       total_count: 0
     }
     search_name: Rare Device Access in Windows Login Data
   }
   deploymentID: 2fba8ab1-b4e0-586c-805b-670e371263b1
   eventID: 6DBF04FA-1055-4C20-A098-3AC57A37BBA1
   executionID: 7992A96B-61EA-4BC2-9290-C363B60E78A5
   optInRequired: 3
   original_event_id: 9484b1deae3b03c0b756ca846bf57e05f5f31a659566fc1a5ea4947d85a2d3cd
   original_timestamp: 1760584231
   timestamp: 1760584231
   type: aggregate
   visibility: [ [+]
   ]
}
Mission control - bulkUpdateSuccessA successful bulk update request in the Analyst Queue. 
{
    "type": "MissionControl.bulkUpdateSuccess",
    "data": {
        "action": "Bulk update",
        "totalUpdated": 25,
        "totalSelected": 26,
        "isGlobalSelectionActive": true,
        "appName": "MissionControl",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "event",
        "component": "MissionControl.bulkUpdateSuccess",
        "optInRequired": 3,
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "name": "bulkUpdateSuccess"
    }
}
Mission control - bulkUpdateGlobalSelectionFailedA failed bulk update request when global selection is active (all items are selected across the entire queue). 
{
    "type": "MissionControl.bulkUpdateGlobalSelectionFailed",
    "data": {
        "error": "Failed to fetch",
        "appName": "MissionControl",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "error",
        "component": "MissionControl.bulkUpdateGlobalSelectionFailed",
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "optInRequired": 3,
        "name": "bulkUpdateGlobalSelectionFailed"
    }
}
Enterprise security - aq-global-selection-activeWhenever a user clicks the "Select all X findings and investigations" button in the Analyst Queue to active global selection. 
{
    "type": "enterprise-security.aq-global-selection-active",
    "data": {
        "selectedCount": 34,
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "event",
        "component": "enterprise-security.aq-global-selection-active",
        "optInRequired": 3,
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "name": "aq-global-selection-active"
    }
}
Enterprise security - aq-assign-to-me-successA successful request to "Assign to me" in the Analyst Queue. 
{
    "type": "enterprise-security.aq-assign-to-me-success",
    "data": {
        "count": 34,
        "isGlobalSelectionActive": true,
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "event",
        "component": "enterprise-security.aq-assign-to-me-success",
        "optInRequired": 3,
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "name": "aq-assign-to-me-success"
    }
}
Enterprise security - aq-assign-to-me-failedA failed request to "Assign to me" in the Analyst queue. 
{
    "type": "enterprise-security.aq-assign-to-me-failed",
    "data": {
        "error": "Findings assignment failed: Error: Finding changes could not be saved.",
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "error",
        "component": "enterprise-security.aq-assign-to-me-failed",
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "optInRequired": 3,
        "name": "aq-assign-to-me-failed"
    }
}
Enterprise security - aq-global-assign-to-me-failedA failed request to "Assign to me" when global selection is active in the Analyst Queue. 
{
    "type": "enterprise-security.aq-global-assign-to-me-failed",
    "data": {
        "error": "Findings assignment failed: Error: Finding changes could not be saved.",
        "appName": "enterprise-security",
        "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
        "type": "error",
        "component": "enterprise-security.aq-global-assign-to-me-failed",
        "sessionID": "7171cdd1-85e5-4784-b6a4-3fe92d6722ed",
        "optInRequired": 3,
        "name": "aq-global-assign-to-me-failed"
    }
}

Mission Control - PINNED_FIELDS_AQ_SIDE_PANEL

Successful pinning of a field in AQ Sidepanel. 
"data": {
    "action": "pin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_AQ_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_AQ_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_AQ_SIDE_PANEL

Successful unpinning of a field in AQ Sidepanel. 
"data": {
    "action": "unpin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_AQ_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_AQ_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_AQ_SIDE_PANEL

Successful reordering of a pinned field in AQ Sidepanel. 
"data": {
    "action": "reorder",
    "fieldKey": "create_time",
    "fromIndex": 0,
    "toIndex": 1,
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_AQ_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_AQ_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
},

Mission Control - PINNED_FIELDS_INVESTIGATION_OVERVIEW

Successful pinning of a field in Investigation Overview. 
"data": {
    "action": "pin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_INVESTIGATION_OVERVIEW

Successful unpinning of a field in Investigation Overview. 
"data": {
    "action": "unpin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}

Mission Control - PINNED_FIELDS_INVESTIGATION_OVERVIEW

Successful reordering of a pinned field in Investigation Overview. 
"data": {
    "action": "reorder",
    "fieldKey": "create_time",
    "fromIndex": 0,
    "toIndex": 1,
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_OVERVIEW",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
},

Mission Control - PINNED_FIELDS_INVESTIGATION_SIDE_PANEL

Successful pinning of a field in Investigation Overview Sidepanel. 
"data": {
    "action": "pin",
    "fieldKey": "dest",
    "appName": "MissionControl",
    "pathname": "/en-US/app/SplunkEnterpriseSecuritySuite/incident_review",
    "type": "event",
    "component": "MissionControl.PINNED_FIELDS_INVESTIGATION_SIDE_PANEL",
    "optInRequired": 3,
    "sessionID": "a750d471-52ef-4fe1-9440-95f4f700a1b5",
    "name": "PINNED_FIELDS_INVESTIGATION_SIDE_PANEL",
    "app": "SplunkEnterpriseSecuritySuite",
    "page": "incident_review"
}
Enterprise security - aq-analyst-workflowSort AQ table by Entity name. 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
  action: 'click',
  section: 'sort-aq-table-by-entity-name',
}
Enterprise security - aq-analyst-workflowSort AQ table by Entity risk score. 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
  action: 'click',
  section: 'sort-aq-table-by-entity-risk-score',
}
Enterprise security - aq-analyst-workflowSort AQ table by Finding score. 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
  action: 'click',
  section: 'sort-aq-table-by-finding-score',
}
Enterprise security - aq-analyst-workflowView all nested findings/ finding groups in AQ table item. 
appName: 'enterprise-security',
component: 'aq-analyst-workflow',
data: {
    section: 'aq_nested_findings',
    action: 'view_all_findinggroups_findings',
    isInvestigation: true,
    totalCount: 11,
}
Mission Control - SIDEPANEL_INCLUDED_FINDINGS_TABLEView all nested findings/ finding groups in AQ Sidepanel. 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.SIDEPANEL_INCLUDED_FINDINGS_TABLE',
    action: 'view_all_findinggroups_findings'
    isInvestigation: true,
    totalCount: 11,
}
Mission Control - SIDEPANEL_INCLUDED_FINDINGS_TABLEView all nested findings when a finding group is expanded under Included Findings Table in AQ Sidepanel. 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.SIDEPANEL_INCLUDED_FINDINGS_TABLE',
    action: 'view_all_findings'
}
Mission Control - SIDEPANEL_DETAILS_BREADCRUMBSAbility to navigate using breadcrumbs at the top of AQ Sidepanel. 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.SIDEPANEL_DETAILS_BREADCRUMBS',
    action: 'breadcrumb_clicked',
    type: 'finding_group',
    breadcrumbLevel: 2,
    totalBreadcrumbs: 3
}
Mission Control - FINDINGS_SIDE_PANELShow more findings/ finding groups in the findings side panel of Investigation Overview. 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.FINDINGS_SIDE_PANEL',
    action: 'show_more_findinggroups_findings',
    currentPage: 2
}
Mission Control - FINDINGS_SIDE_PANELShow more findings within a finding group in the findings side panel of Investigation Overview. 
data: {
    appName: 'MissionControl',
    component: 'MissionControl.FINDINGS_SIDE_PANEL',
    action: 'show_more_findings',
    currentPage: 2
}
Mission Control - NESTED_DRILLDOWN_VIEWShow the viewing duration on the nested drilldown view. 
{
    "appName":"enterprise-security",
    "component":"nested_drilldown_view_duration",
    "data":{
         "duration":"42.30",
         "type":"finding_group"
    }
}
Mission Control - NESTED_DRILLDOWN_VIEWShow the action performed in the nested drilldown view. 
{
    "appName":"enterprise-security",
    "component":"nested_drilldown_view_duration",
    "data":{
         "action":"SORT",
    }
}

Mission Control -

associatedFindingsCheckbox

Show the associated findings checkbox is checked or not. 
{
"appName":"MissionControl",
"component":"associatedFindingsCheckbox",
    "data":{
         "action":"clicked",
         "type":"checked"
    }
  }
Enterprise security - legacy-investigation-listLegacy investigation list has been loaded. 
{
    "appName":"enterprise-security",
    "component":"legacy-investigation-list",
    "data":{
         "action":"loaded",
         "section":"success"
    }
  }
Enterprise security - legacy-investigationLegacy investigation has been loaded. 
{
    "appName":"enterprise-security",
    "component":"legacy-investigation",
    "data":{
         "action":"loaded"
    }
  }
Enterprise security - select-add-app-to-versioningOn Configure → General Settings → Versioning, emits event when an app is selected. 
{
  appName: "enterprise-security",
  component: "select-add-app-to-versioning",
  data: {
      action: "select-app",
      apps: [{"name": "mycustomapp", "author": "david", "version": "1.0.0"}],
  },
}
Enterprise security - confirm-add-app-to-versioningOn Configure → General Settings → Versioning, emits event when the confirm button is clicked on add apps. 
{
    appName: "enterprise-security",
    component: "confirm-add-app-to-versioning",
    data: {
        action: "confirm-add-apps",
        result: "success",
        appCount: 1,
        appNames: ["myCustomApp"],
    },
}

Share threat data in Splunk Enterprise Security

Sharing of telemetry usage data is different from sharing threat data. If you are a Splunk Enterprise Security Hosted Service Offering (cloud) customer with a standard terms contract renewed or created after January 10, 2025, you can refer to Share threat data in Splunk Enterprise Security for details on enhanced data sharing to support improved detection capabilities, update threat intelligence, and operations of our security content offerings.