Splunk® Supported Add-ons

Splunk Add-on for CyberArk EPM

Troubleshoot the Splunk Add-on for CyberArk EPM

For troubleshooting tips that apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Delay in Data Ingestion

Before performing the task below, verify that you provided the correct CyberArk EPM account information and that your inputs are configured correctly.

Verify your API call limits:

  1. Go to Configuration > Logging and set the log level to DEBUG.
  2. Execute: 
    index="_internal" source="*splunk_ta_cyberark_epm*" "Maximum limit"
  3. Check for the following log message: 
    Maximum limit <number> for number of API calls exceeded. Going into sleep for <number> minute(s)
    This message indicates that the input is working but it hits the API limit of your account.
  4. To increase the API limit for your account, please contact CyberArk Support at support@cyberark.com

If the user faces any errors related to API limitations for new inputs, it might be because of the API limitations of CyberArk EPM v23.3.0. These limitation are mentioned in the troubleshooting section "API Limitations for CyberArk EPM"

Data is not ingested in Splunk

For best results when experiencing issues in data ingestion or data collection, use the Splunk Add-on for CyberArk EPM v2.0.0 and later for it's enhanced functionalities

  • Verify Account and Inputs are configured properly.
  • Verify KV Store is enabled and working.
  • Check that data is available within the time range. By default, the add-on starts collecting the data generated within the last 6 minutes on the EPM server. After that, it collects the data as per the last ingested event.
    • To collect historical data, users can utilize the "Start Date" field provided in the new inputs.

Please refer to CyberArk EPM API limitation documentation for details regarding number of allowed API calls within a time range.

Event Truncation

For sourcetype cyberark:epm:policies, when the user selects collect_policy_details option to collect the details of the policy, then it might happen that the event gets truncated because the policy details are more in length but Splunk allows an event of maximum 10k bytes.


Issue with Account Configuration

  • If "EPM server cannot process the request. Bad Request" error is encountered in the UI during account configuration, make sure there is no whitespace in the username field.
  • If "Could not connect to CyberArk Server. Check Network and Configuration settings." Error is encountered in the UI during account configuration, make sure that the EPM server can be reached and the url does not contain any whitespaces.
  • To further troubleshoot any issue check the logs file.
Last modified on 22 July, 2024
Lookups for the Splunk Add-on for CyberArk EPM   Release notes for the Splunk Add-on for CyberArk EPM

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters