Splunk® Enterprise Security

Installation and Upgrade Manual

Acrobat logo Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Acrobat logo Download topic as PDF

Troubleshoot your deployment

Blank screen (no login prompt) following the installation of Enterprise Security

This occurs because Splunk Web is communicating with Splunk over HTTP instead of HTTPS. Change the protocol in your browser to use HTTPS. By default, Splunk communicates to the web-browser over an unencrypted channel (HTTP). For security reasons, Enterprise Security forces Splunk to use an encrypted channel (HTTPS).

Blank screen after logging in following the installation of Enterprise Security

This occurs when Enterprise Security is installed before Splunk is run once. Splunk completes the installation phase the first time it is run. Only after Splunk is started once can you install Enterprise Security. If you see this problem, restart Splunk.

Error on the Event Geography dashboard under Resources

This error occurs when Enterprise Security is first installed since the map has not yet been generated and will disappear after about 20 minutes. This only occurs the first time Enterprise Security is installed.


Note: The Event Geography dashboard must be enabled; it is disabled by default.

Go to Configure > Domains / Dashboards and click the box next to Event Geography. Click Save.

Event Geography map is blank

The geographical map will be blank until Enterprise Security has events that include assets with latitude and longitude data.

No entries exist in a lookup after editing the CSV file (even though the file exists)

This can happen when the lookup file is saved with the wrong type of line-endings. The CSV files must contain UNIX style line endings as opposed to Macintosh or Windows line endings. Convert the line-endings to UNIX style endlines and the lookup file rows should appear in Splunk.

Verify that a data model namespace exists

In the Splunk App for Enterprise Security, use the Data Model Audit dashboard to view the data model namespaces in your deployment.

To validate that an accelerated data model namespace exists, it is usually sufficient to execute the following search:

   | tstats count from <namespace>

A non-zero event count indicates that the namespace exists, unless the namespace exists but is empty. In this case, use the following search to show all the TSIDX namespaces on the system:

   | rest /services/data/tsidxstats

See "Tscollect" in the Splunk Search Reference Manual for more information about data model namespaces.

Whitelist vulnerability scanners from consideration

Active vulnerability scanners can create traffic analysis problems in a number of ways. Anomalous amounts and types of traffic, high cardinality in short time frames that will not summarize well, and signature-based triggering of other security systems are some of the possible issues. To avoid these problems, you can whitelist known vulnerability scanners in your network and block them from analysis.

1. Add the IP addresses of known vulnerability scanners to the asset table and set a category of "known_scanner". This can be done at Configure > Lists and Lookups > assets or by editing $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/assets.csv.

2. The asset merge process should run within 5 minutes, but can be forced by disabling and enabling the static_assets input at Configure > Identity Manager. Run the following search to test that the category is working correctly:


Similarly, correlation searches that are generating false positives can be altered to ignore scanners by adding

   search NOT (dvc_category="known_scanner" 
   OR src_category="known_scanner" OR dest_category="known_scanner") 

after the main search terms and before the analysis search commands.

Last modified on 10 December, 2013
Log files

This documentation applies to the following versions of Splunk® Enterprise Security: 3.0, 3.0.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters