Splunk® User Behavior Analytics Monitoring App

Splunk UBA Monitoring App

This documentation does not apply to the most recent version of Splunk® User Behavior Analytics Monitoring App. For documentation on the most recent version, go to the latest release.

Example: Troubleshoot an output connector

Let's examine a BAD status for the Output Connector indicator.

The BAD status means something has stopped working. Click on the status to view more information.

This screen image shows the Splunk UBA Monitoring App home page. The Output Connector indicator is red and shows a status of BAD.

Examine the KPIs for the output connector

On this KPIs screen, we can highlight the BAD status in the Indicator Failure Trend and see that the event occurred between Midnight and 1:00 AM on February 6. The Health Monitor section of the page shows additional information that Splunk UBA was not able to send threat to Splunk Enterprise Security (ES).

We can examine the Splunk UBA logs for further information. Click UBA Logs in the menu bar.

This screen image shows the KPIs page for the Output Connector indicator in the Splunk UBA Monitoring App. The Output Connector Server module is showing a status of BAD.

Examine the Splunk UBA logs

By default, error level messages are shown on the UBA Logs page. Add WARN to the Log Level filter at the top of the page. The outputconnector.log appears as one of the top 10 logs generating events in the system.

Click on outputconnector.log to view more information.

This screen image shows the UBA Logs page. At the top of the page, the Log Level filter includes both ERROR and WARN. Below that, there is a list of 10 logs sorted by most event counts to least event counts. The output connector log is number 4 in the list.

Examine events in the log

You can change the time range in the Event Count Trend to narrow down the number of events you examine. Earlier in the example, we noticed issues between Midnight - 1:00 AM. Adjust the slider in the Event Count Trend to include only events between Midnight - 1:00 AM on February 6.

We see many Broken pipe warning messages, indicating a problem with the connection in the output connector.

This screen image shows details for the output connector log. The relevant elements are described in the text immediately following this image.

In this situation, you can consider the following actions:

  • Check your Splunk ES instance to make sure that it is still running.
  • Verify your network settings to make sure that Splunk UBA can reach your Splunk ES instance.
Last modified on 08 May, 2024
Example: Troubleshoot a data source  

This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.0.0, 1.1, 1.1.1, 1.1.2, 1.1.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters