Known Issues in Splunk UBA
This version of Splunk UBA has the following known issues and workarounds.
If no issues are listed, there are no known issues at this time.
Date filed | Issue number | Description |
---|---|---|
2022-09-06 | UBA-16289 | 7-node UBA deployment has an invalid value for system.messaging.rawdatatopic.retention.time in caspidatunables-7_node.conf Workaround: SSH into the management node as the caspida user 1. Edit the following two files: /etc/caspida/local/conf/deployment/uba-tuning.properties /opt/caspida/conf/deployment/recipes/caspida/caspidatunables-7_node.confCorrect field system.messaging.rawdatatopic.retention.timeto be 1dinstead of 1dq 2. Sync-cluster /opt/caspida/bin/Caspida sync-cluster /etc/caspida/local/conf/deployment/ /opt/caspida/bin/Caspida sync-cluster /opt/caspida/conf/deployment/recipes/caspida/ 3.Restart cluster /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all |
2022-04-14 | UBA-15607, UBA-14237 | Unable to create Anomaly Table filter or AAR specifying filter for Specific Devices when specifying over 20 CIDR/s |
2022-04-14 | UBA-15608, UBA-14502 | Exporting >4.3K Anomalies table results - crashes UBA UI (Permanent fix for UBA-14502) |
2022-02-14 | UBA-15364 | Spark HistoryServer running out of memory for large deployments with error: "java.lang.OutOfMemoryError: GC overhead limit exceeded" Workaround: Open the following file to edit on the Spark History Server: /var/vcap/packages/spark/conf/spark-env.sh
You can check deployments.conf field spark.history to find out which node runs the Spark History Server. Update the following setting to 3G:
Afterwards, restart the spark services: /opt/caspida/bin/Caspida stop-spark && /opt/caspida/bin/Caspida start-spark |
2022-01-25 | UBA-15321 | Upgrade script for ubuntu systems need revised commands to install external packages correctly Workaround: If the upgrade to UBA 5.0.5 failed in a lockdown environment with no internet connection, perform the following steps on the failed UBA node:
|
2021-12-06 | UBA-15164 | Download Diagnostics "Parsers" for multi-node misses /var/log/caspida/jobexecutor* |
2021-09-29 | UBA-14894 | UBA EPS drops after Splunk 8.2.1/8.2.2 upgrade on search heads used by data sources |
2021-08-05 | UBA-14678 | Splunk UBA Kafka App is missing the distsearch.conf file |
2021-07-26 | UBA-14629 | Need to handle upgrade for TimeSeries Custom Model |
2021-05-04 | UBA-14516 | Health Monitor - An error occurred while retrieving data - Error from /uba/monitor Invalid Json response: Error in getting the response Parameters: {"queryStatus":true,"queryDataQualityStatus":true} Workaround:
|
2021-01-25 | UBA-14390 | New threats sent to ES have incorrect "status" field value |
2021-01-12 | UBA-14382 | "HTTP 400 -- Error in 'sendtoubakafka' command: External search command exited unexpectedly with non-zero error code 1." |
2021-01-11 | UBA-14379 | Discrepancy between Threats and notable events in ES Workaround: As a temporary workaround, edit the search in ES. Look for the "UEBA Threat Detected" correlation search removing '| search uba_threat_status != closed'
|
2021-01-05 | UBA-14376 | Custom Model Invalid anomaly custom field 'uniqueDestinations |
2020-12-03 | UBA-14354 | Spark Nodes out of sync with Master after 5.0.4 Upgrade |
2020-11-20 | UBA-14339 | Custom Models TimeSeries model errors associated with missing skipOldAnomaliesThreshold |
2020-11-09 | UBA-14305 | Upgrading to 5.0.4 /opt/caspida/lib/CaspidaSecurity.jar is not synced after upgrade Workaround: After completing the upgrade to Splunk UBA 5.0.4, run the following commands on the master node in your Splunk UBA deployment: /opt/caspida/bin/Caspida stop /opt/caspida/bin/Caspida sync-cluster /opt/caspida/bin/Caspida start |
2020-10-30 | UBA-14287, UBA-17142 | Issue while deleting datasource referencing other UBA original primary cluster |
2020-06-29 | UBA-14199, UBA-12111 | Impala jdbc connections leak Workaround:
|
2020-04-10 | UBA-13810 | CSV Export of 3000 or More Anomalies Fails |
2020-04-07 | UBA-13804 | Kubernetes certificates expire after one year Workaround: Run the following commands on the Splunk UBA master node: /opt/caspida/bin/Caspida remove-containerization /opt/caspida/bin/Caspida setup-containerization /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all |
2019-10-07 | UBA-13227 | Backend anomaly and custom model names are displayed in Splunk UBA Workaround: Click the reload button in the web browser to force reload the UI page. |
2019-08-29 | UBA-13020 | Anomalies migrated from test-mode to active-mode won't be pushed to ES |
2019-08-06 | UBA-12910 | Splunk Direct - Cloud Storage does not expose src_ip field Workaround: When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP ). Make sure to add src_ip in the final list of fields selected using the fields command. For example:
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip |
Welcome to Splunk UBA 5.0.4 | Fixed Issues in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.4
Feedback submitted, thanks!