Skip to main content
Version: Atlas v4.5

Using Data Hub

Data Hub gives Splunk users visibility into their data and the ability to add clarity by creating Data Definitions. These definitions help teams apply stronger change management discipline to their Splunk environment. Paired with this capability, Data Hub also provides visibility into dataset utilization so Splunk Admins can better understand what data is being ingested, who owns it, and how it is being used.

For setup details, see Configuring Data Hub.

Following these steps will help Splunk admins regain control of their Splunk ecosystem and control data ingests.

  1. Ensure utilization is being tracked by configuring Data Hub.
  2. Set ownership of Indexes using bulk apply.
  3. Perform utilization analysis on your high ingest indexes to ensure they are being effectively used.
  4. Create and assign data labels such as 'Networking' or 'OS Security' to group together similar indexes.
  5. Perform routine reviews on ingests and ensure all data flowing into Splunk is owned.

Data Hub Page

Data Hub is designed to help teams manage dataset lifecycle tasks with fewer context switches. The main data table enables users to investigate their data effectively. Review the below features to fully understand the capability offered by Data Hub.

Default Views & Additional Columns

By selecting the View dropdown, a user can select a pre-made collection of columns for the table to easily get started in Data Hub. Data Hub opens on the Utilization view by default, and the currently selected view is preserved on page reload. The default views include:

  • Utilization: This view focuses on the utilization activity of a data set and compares ingest to overall usage.
  • Data Inventory: A report focused on the Data Label, Owner, Business Unit, and Contact information of a data set, along with its ingest.

Selecting the data table's column button enables the user to add additional columns to the view. Your column selection is saved, but is cleared by selecting a default view.

Inline Editing

If a user is an Atlas Creator, or Atlas Admin, they can double click on columns marked with a pencil icon, and update fields without opening up any modals.

Bulk Actions

Atlas Creators and Atlas Admins can select checkboxes on the left, and the bulk 'Define Datasets' button below to open a Bulk Update modal. Users can leverage this modal to apply information on more than one dataset at a time. Any field left blank will not be updated, changed, or cleared, but any new context added in the bulk update will overwrite previous field data.

Detailed Modals & Actions

Selecting the kebab (three dots) button on the far right of the table enables the user to view additional details and perform actions for supported workflows.

  • Show Data In Splunk: Opens up and runs a search against the dataset for the last 24 hours.
  • View Dataset Info: Opens the details modal on the data definition page. Atlas Admins and Atlas Creators can update the definition in more detail here.
  • View Dataset Utilization: Reveals the utilization of the dataset. Users can review tracked SPL, drill into linked knowledge objects, and navigate directly to related dashboards or searches from this modal.

Utilization Investigation

The Utilization view helps teams understand how datasets are being used across searches and dashboards. From the utilization modal, users can inspect the tracked activity, review the SPL associated with that usage, and navigate directly to the related object when it is available to them. In search-peered environments, Data Hub resolves dashboard links to the appropriate destination so users can continue their investigation in context.