FAQ
Remove "other" from charts
When you drill down on "other" in a chart, no results will be shown. The default for the macro is true
, which displays "other" in charts. No results will be shown when "other" is clicked. The workaround is to change the `useother`
macro to configure whether or not "other" is displayed in the chart.
1. To change the definition in the macro to false
, make a macros.conf
in $SPLUNK_HOME/etc/apps/SA-Utils/local
.
2. Update the macros.conf
adding:
[useother] definition = false
3. Save the file.
Whitelist vulnerability scanners from consideration
Active vulnerability scanners can create traffic analysis problems in a number of ways. Anomalous amounts and types of traffic, high cardinality in short time frames that will not summarize well, and signature-based triggering of other security systems are some of the possible issues. To avoid these problems, you can whitelist known vulnerability scanners in your network and block them from analysis.
1. Add the IP addresses of known vulnerability scanners to the asset table and set a category of "known_scanner". This can be done at Configure > Lists and Lookups > assets or by editing $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/assets.csv
.
2. The asset merge process should run within 5 minutes, but can be forced by disabling and enabling the static_assets input at Configure > Identity Manager. Run the following search to test that the category is working correctly:
`get_category(known_scanner)`
Similarly, correlation searches that are generating false positives can be altered to ignore scanners by adding
search NOT (dvc_category="known_scanner" OR src_category="known_scanner" OR dest_category="known_scanner")
after the main search terms and before the analysis search commands.
How do I monitor forwarders to ensure they are correctly sending data?
Enterprise Security includes a rule that will trigger whenever a forwarder quits submitting events. To do so, you need to add the forwarder to the asset list and indicate that events should be expected from the device. See Identity Manager in this manual for information about how to configure the asset list.
Is there a limit on the number of results that can be displayed in a dashboard? Can I change this?
For panels that use the Splunk stats
command to create the chart, the count is limited by default to 100K values (for example, Client Distribution by Product Versions panel on the Malware Operations dashboard).
You can change this limit by editing maxvalues
in the [stats]
stanza in Splunk's limits.conf
file. See "limits.conf" in the Splunk documentation for details.
Blank screen (no login prompt) following the installation of Enterprise Security
This occurs because Splunk Web is communicating with Splunk over HTTP instead of HTTPS. Change the protocol in your browser to use HTTPS. By default, Splunk communicates to the web-browser over an unencrypted channel (HTTP). For security reasons, Enterprise Security forces Splunk to use an encrypted channel (HTTPS).
Blank screen after logging in following the installation of Enterprise Security
This occurs when Enterprise Security is installed before Splunk is run once. Splunk completes the installation phase the first time it is run. Only after Splunk is started once can you install Enterprise Security. If you see this problem, restart Splunk.
No entries exist in a lookup after editing the CSV file (even though the file exists)
This can happen when the lookup file is saved with the wrong type of line-endings. The CSV files must contain UNIX style line endings as opposed to Macintosh or Windows line endings. Convert the line-endings to UNIX style endlines and the lookup file rows should appear in Splunk.
Upgrade Splunk App for Enterprise Security | List of dashboards to app |
This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3
Feedback submitted, thanks!