Splunk® User Behavior Analytics Monitoring App

Splunk UBA Monitoring App

Example: Troubleshoot an output connector

The following example examines a BAD status on the Output Connector indicator.

The BAD status means something has stopped working. Select the BAD status to open the KPIs page.

This screen image shows the Splunk UBA Monitoring App home page. The Output Connector indicator is red and shows a status of BAD.

Examine the KPIs for the output connector

On the KPIs screen, you can highlight the BAD status in the Indicator Failure Trend and see that the event occurred between Midnight and 1:00 AM on February 6. The Health Monitor section of the page shows additional information that Splunk UBA was not able to send threat to Splunk Enterprise Security (ES).

You can examine the Splunk UBA logs for further information. Select UBA Logs in the menu bar.

This screen image shows the KPIs page for the Output Connector indicator in the Splunk UBA Monitoring App. The Output Connector Server module is showing a status of BAD.

Examine the Splunk UBA logs

By default, error level messages are shown on the UBA Logs page. Add WARN to the Log Level filter at the top of the page. The outputconnector.log appears as one of the top 10 logs generating events in the system.

Select outputconnector.log to view more information.

This screen image shows the UBA Logs page. At the top of the page, the Log Level filter includes both ERROR and WARN. Below that, there is a list of 10 logs sorted by most event counts to least event counts. The output connector log is number 4 in the list.

Examine events in the log

You can change the time range in the Event Count Trend to narrow down the number of events you examine. Earlier in the example, issues were identified between Midnight - 1:00 AM. Adjust the slider in the Event Count Trend to include only events between Midnight - 1:00 AM on February 6.

You see many Broken pipe warning messages, indicating a problem with the connection in the output connector.

This screen image shows details for the output connector log. The relevant elements are described in the text immediately following this image.

In this situation, you can consider the following actions:

  • Check your Splunk ES instance to make sure that it is still running.
  • Verify your network settings to make sure that Splunk UBA can reach your Splunk ES instance.
Last modified on 08 May, 2024
Example: Troubleshoot a data source   Example: CPU usage spike

This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.1.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters