Skip to main content
Version: Atlas v4.2

Configuring Search Hub

Search Hub governance relies on configurable rules and automation actions that determine how searches are evaluated, flagged, and remediated. Configuration is role-aware and depends on Atlas RBAC:

  • Atlas Viewers: Can see search governance results but cannot make changes.
  • Atlas Creators: Can create, edit, and test rules in the governance console.
  • Atlas Admins: Can configure the system, enable/disable rules, and apply automation through the configuration modal.

Creating and Editing Rules

Atlas Creators and Admins can add or modify rules through the console.

  • Rule Name: A descriptive title of the governance rule.
  • Description: A description of the Rule. A good place to put recommended fix procedure.
  • Condition: The criteria that must be met (e.g., searches running too frequently, searches producing excessive results). See Condition Examples below.

Adding or modifying a rule will prompt the user to run the Governance search early to update the findings early.

Condition Examples

Atlas Creators and Admins can leverage these fields when creating a rule.

  • savedsearch_name: Name of search.
  • savedsearch_app: App of search.
  • savedsearch_owner: Splunk owner of Search.
  • avg_runtime: Average runtime of search in seconds.
  • avg_latency: Average latency of search in seconds.
  • skip_rate: Skip rate of search in percentage (1 would be 100% skip rate).
  • skip_count: Skip count of search (3 would be the search skipped 3 times).
  • run_count: Number of times search runs last 24 hours.
  • avg_svcs: Average SVC consumption last 24 hours (Splunk Cloud only).
  • tot_svcs: Total SVC consumed last 24 hours (Splunk Cloud only).

Conditional Logic

The fields can leverage Splunk conditional logic compared to a 'Where' command. So usage of >, >=, like(), and so on can help with creating useful rules.

Configuration Modal (Admins Only)

Atlas Admins have additional configuration access through the Configuration Modal:

Enabling Search Governance

  • Enable/Disable Rules: Activate or deactivate rules globally.
  • Target Environments: A selection of environments that these rules will apply against. These need either be the local host or previously configured Atlas Targets.
  • Admin Contact: In the event of searches not having an owner, this email will be notified instead. Users will also be directed to contact this email for assistance.

Automated Remediation Actions

  • Automated User Alert: When activated, Splunk will send an email to Splunk users with searches breeching rules, notifying them of what searches are failing what rules.
  • Escalation Alert: When activated, Splunk will send an email daily to the owner of searches that have been under Warning for the inputted amount of days. This warning will say that Splunk Admins may edit or disable the search.
  • Auto Disable: When activate, Splunk will auto disable any email that has been Escalated for the inputted amount of days. Users will be warned of this in the notifying emails.

Best Practices

  • Start with Warnings: Configure rules to warn before enabling escalations or auto-remediation.
  • Notify Owners Early: Ensure owners are contacted before disabling their searches.
  • Audit Regularly: Use Action Logs to review what governance actions have taken place.
  • Align with Limits: Configure rules to reflect Splunk system and license limits for maximum effectiveness.