Data Inventory

Data Source Categories use standardized searches to find data configured with the tags that are used in Splunk’s Common Information Model. You can also add custom products that either don’t match the Common Information Model, or mark that you have products you expect to add in the future.

  1. The Data Inventory dashboard allows you to configure what products you have in your environment. Products have a variety of metadata (sourcetypes, event volume, CIM compliance) and are connected with data source categories, allowing the app to show you what content can be turned on with your present data.
  2. Here’s an example of several data source categories, under the EDR data source. DSCs are detailed categories that have been proven out through thousands of professional services engagements.
  3. When you first open this page, it will prompt you to use the automated scans. If you install SSE on your production search head, most of the work from this page is automated!
  4. There are four automated introspection steps that pulls a variety of data.
  5. For any sources or sourcetypes that are uncommon, you can tell the app what product it is.
  6. If you have a product that wasn’t detected, or you aren’t installing this app on your production search head, you can always manually add products by clicking Add Product. If you don’t have data for a DSC, you can say No Data Present.