Troubleshoot your deployment
Blank screen (no login prompt) following the installation of Enterprise Security
This occurs because Splunk Web is communicating with Splunk over HTTP instead of HTTPS. Change the protocol in your browser to use HTTPS. By default, Splunk communicates to the web-browser over an unencrypted channel (HTTP). For security reasons, Enterprise Security forces Splunk to use an encrypted channel (HTTPS).
Blank screen after logging in following the installation of Enterprise Security
This occurs when Enterprise Security is installed before Splunk is run once. Splunk completes the installation phase the first time it is run. Only after Splunk is started once can you install Enterprise Security. If you see this problem, restart Splunk.
Error on the Event Geography dashboard under Resources
This error occurs when Enterprise Security is first installed since the map has not yet been generated and will disappear after about 20 minutes. This only occurs the first time Enterprise Security is installed.
Note: The Event Geography dashboard must be enabled; it is disabled by default.
Go to Configure > Domains / Dashboards and click the box next to Event Geography. Click Save.
Event Geography map is blank
The geographical map will be blank until Enterprise Security has events that include assets with latitude and longitude data.
No entries exist in a lookup after editing the CSV file (even though the file exists)
This can happen when the lookup file is saved with the wrong type of line-endings. The CSV files must contain UNIX style line endings as opposed to Macintosh or Windows line endings. Convert the line-endings to UNIX style endlines and the lookup file rows should appear in Splunk.
Verify that a data model namespace exists
In the Splunk App for Enterprise Security, use the Data Model Audit dashboard to view the data model namespaces in your deployment.
To validate that an accelerated data model namespace exists, it is usually sufficient to execute the following search:
| tstats count from <namespace>
A non-zero event count indicates that the namespace exists, unless the namespace exists but is empty. In this case, use the following search to show all the TSIDX namespaces on the system:
| rest /services/data/tsidxstats
Whitelist vulnerability scanners from consideration
Active vulnerability scanners can create traffic analysis problems in a number of ways. Anomalous amounts and types of traffic, high cardinality in short time frames that will not summarize well, and signature-based triggering of other security systems are some of the possible issues. To avoid these problems, you can whitelist known vulnerability scanners in your network and block them from analysis.
1. Add the IP addresses of known vulnerability scanners to the asset table and set a category of "known_scanner". This can be done at Configure > Lists and Lookups > assets or by editing
2. The asset merge process should run within 5 minutes, but can be forced by disabling and enabling the static_assets input at Configure > Identity Manager. Run the following search to test that the category is working correctly:
Similarly, correlation searches that are generating false positives can be altered to ignore scanners by adding
search NOT (dvc_category="known_scanner" OR src_category="known_scanner" OR dest_category="known_scanner")
after the main search terms and before the analysis search commands.
This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1