Configuring Search Hub

Search Hub uses background searches, a summarization metric index, and KV Store data to deliver a faster Scheduled Searches experience. Atlas Admins complete the initial setup and resolve dependency issues. Atlas Creators and Atlas Admins configure Search Governance rules after Search Hub is available.

Roles and Responsibilities

• Atlas Viewers: Can review search activity and governance results, but cannot change Search Hub configuration or rules.
• Atlas Creators: Can create, edit, and test governance rules after Search Hub is configured.
• Atlas Admins: Can configure Search Hub, recover required dependencies, and manage governance automation.

Search Hub States

• Configured: Search Hub loads normally and Scheduled Searches, Search Governance, and Impact views are available.
• Not Configured - Atlas Admin: Search Hub opens the setup page so an Atlas Admin can select a summarization metric index, choose a minimum performance history requirement, and enable the required searches.
• Not Configured - Not Atlas Admin: Search Hub explains that an Atlas Admin must complete configuration before the feature can be used fully.

If searches are tampered with and disabled, then the application will attempt to enter a 'Not Configured' state.

Required Search Hub Dependencies

Search Hub depends on the following background searches:

Search	Purpose	Schedule
Atlas Scheduled Searches Inventory	Builds an inventory of scheduled searches, including schedule, time range, and parsed search details.	Daily
Atlas Scheduled Searches Snapshot	Queries summarized performance data to populate Search Hub views and governance snapshots.	Daily
Atlas Scheduled Search Summarization	Populates the Search Hub summarization metric index with scheduled search performance metrics.	Every 5 minutes

Search Hub stores summarized scheduled search performance data in the selected Summarization Metric Index and uses KV Store data to populate the Scheduled Searches experience quickly.

Configure Search Hub

1. Open Search Hub as an Atlas Admin. If Search Hub is not configured, the setup page appears automatically.
2. Review the status of the required Search Hub background searches.
3. Select the Summarization Metric Index used to store Search Hub scheduled search performance data.
4. Select the Minimum Performance History requirement for Search Hub.
5. Select Confirm to enable required background searches and start the initial backfill when needed.

Minimum Performance History and Backfill

• Search Hub checks the earliest summarized performance data available against the selected minimum history requirement.
• If minimum history is not met, Search Hub backfills data until the requirement is satisfied, skipping time ranges that already have coverage.
• Backfill Needs Met is a warning or informational indicator. It highlights that Search Hub is still collecting the requested history, but it is not a hard blocker for setup.
• Twenty-four hours of history is sufficient for most initial Search Hub workflows.

Search Governance Automation

Atlas Admins manage Search Governance automation through the Search Hub configuration experience.

Enabling Search Governance

• Enable/Disable Rules: Activate or deactivate rules globally.
• Target Environments: Select the environments that rules apply against. These can be the local host or previously configured Atlas Targets.

Automated Remediation Actions Each remediation action requires the previous option to be selected.

• Automated User Alert: When activated, Splunk sends an email to Splunk users with searches breaching rules, notifying them which searches are failing which rules. A contact email is required for this setting to function.
• Escalation Alert: When activated, Splunk sends a daily email to the owner of searches that have been under Warning for the configured number of days. This warning explains that Splunk Admins may edit or disable the search.
• Auto Disable: When activated, Splunk automatically disables any search that has been Escalated for the configured number of days. Users are warned of this in the notification emails.

Best Practices

• Start with Warnings: Configure rules to warn before enabling escalations or auto-remediation.
• Notify Owners Early: Ensure owners are contacted before disabling their searches.
• Audit Regularly: Use action logs to review what governance actions have taken place.
• Align with Limits: Configure rules to reflect Splunk system and license limits for maximum effectiveness.

Search Governance Rules

After Search Hub is configured, Atlas Creators and Atlas Admins can add or modify Search Governance rules through the Search Governance Rules page.

• Rule Name: A descriptive title of the governance rule.
• Description: A description of the rule. This is a good place to document the recommended fix procedure.
• Condition: The criteria that must be met, such as searches running too frequently or searches producing excessive results.

Search Governance expands macros before evaluating rules, which improves rule behavior for searches that rely on macro logic. After adding or modifying a rule, Atlas can rerun the governance search so findings update before the next scheduled execution.

Condition Description

Atlas Creators and Admins can leverage these fields when creating a rule.

• savedsearch_name: Name of search.
• savedsearch_app: App of search.
• savedsearch_owner: Splunk owner of search.
• generating_command: The raw text of the first line of the Splunk query. This is useful for identifying searches with wildcards.
• earliest_time: Earliest time configuration for search. 0 is for all time.
• latest_time: Relative latest time configuration of the search. For example, -1d@d would be the start of the previous day.
• timerange_is_inline: Returns 1 if there is a time range denoted in the SPL of the search, 0 if not.
• window_minutes: Number of minutes between earliest and latest time.
• cron_schedule: String of the cron schedule.
• interval_min: Number of minutes between configured scheduled runs. For instance, if a search is scheduled to run every 5 minutes, this will be 5.
• interval_max: Maximum number of minutes between scheduled searches in the time range. This is useful if searches do not have set pattern schedules.
• misconfig_minutes: Difference between interval and time range window. Positive is when the window is larger than the interval, negative if there is a coverage gap.
• avg_runtime: Average runtime of the search in seconds.
• perc90_runtime: Runtime in the 90th percentile.
• avg_latency: Average latency of the search in seconds.
• skip_rate: Skip rate of the search as a percentage. 1 would be a 100 percent skip rate.
• skip_count: Skip count of the search. 3 would mean the search skipped 3 times.
• run_count: Number of times the search runs in the last 24 hours.
• avg_svcs: Average SVC consumption in the last 24 hours on Splunk Cloud.
• tot_svcs: Total SVC consumption in the last 24 hours on Splunk Cloud.
• perc90_svcs: SVC usage in the 90th percentile.

Atlas Search Governance also supports all standard saved search knowledge object fields.

Conditional Logic

The fields can leverage Splunk conditional logic similar to a where command. Usage of >, >=, like(), and similar operators can help create useful rules.