Splunk® Enterprise Security

Installation and Upgrade Manual

Download manual as PDF

This documentation does not apply to the most recent version of ES. Click here for the latest version.
Download topic as PDF

FAQ

Remove "other" from charts

When you drill down on "other" in a chart, no results will be shown. The default for the macro is true, which displays "other" in charts. No results will be shown when "other" is clicked. The workaround is to change the `useother` macro to configure whether or not "other" is displayed in the chart.

1. To change the definition in the macro to false, make a macros.conf in $SPLUNK_HOME/etc/apps/SA-Utils/local.

2. Update the macros.conf adding:

   [useother]
   definition = false

3. Save the file.

Whitelist vulnerability scanners from consideration

Active vulnerability scanners can create traffic analysis problems in a number of ways. Anomalous amounts and types of traffic, high cardinality in short time frames that will not summarize well, and signature-based triggering of other security systems are some of the possible issues. To avoid these problems, you can whitelist known vulnerability scanners in your network and block them from analysis.

1. Add the IP addresses of known vulnerability scanners to the asset table and set a category of "known_scanner". This can be done at Configure > Lists and Lookups > assets or by editing $SPLUNK_HOME/etc/apps/SA-IdentityManagement/lookups/assets.csv.

2. The asset merge process should run within 5 minutes, but can be forced by disabling and enabling the static_assets input at Configure > Identity Manager. Run the following search to test that the category is working correctly:

   `get_category(known_scanner)`

Similarly, correlation searches that are generating false positives can be altered to ignore scanners by adding

   search NOT (dvc_category="known_scanner" 
   OR src_category="known_scanner" OR dest_category="known_scanner") 

after the main search terms and before the analysis search commands.

How do I monitor forwarders to ensure they are correctly sending data?

Enterprise Security includes a rule that will trigger whenever a forwarder quits submitting events. To do so, you need to add the forwarder to the asset list and indicate that events should be expected from the device. See Identity Manager in this manual for information about how to configure the asset list.

Is there a limit on the number of results that can be displayed in a dashboard? Can I change this?

For panels that use the Splunk stats command to create the chart, the count is limited by default to 100K values (for example, Client Distribution by Product Versions panel on the Malware Operations dashboard).

You can change this limit by editing maxvalues in the [stats] stanza in Splunk's limits.conf file. See "limits.conf" in the Splunk documentation for details.

Blank screen (no login prompt) following the installation of Enterprise Security

This occurs because Splunk Web is communicating with Splunk over HTTP instead of HTTPS. Change the protocol in your browser to use HTTPS. By default, Splunk communicates to the web-browser over an unencrypted channel (HTTP). For security reasons, Enterprise Security forces Splunk to use an encrypted channel (HTTPS).

Blank screen after logging in following the installation of Enterprise Security

This occurs when Enterprise Security is installed before Splunk is run once. Splunk completes the installation phase the first time it is run. Only after Splunk is started once can you install Enterprise Security. If you see this problem, restart Splunk.

No entries exist in a lookup after editing the CSV file (even though the file exists)

This can happen when the lookup file is saved with the wrong type of line-endings. The CSV files must contain UNIX style line endings as opposed to Macintosh or Windows line endings. Convert the line-endings to UNIX style endlines and the lookup file rows should appear in Splunk.

PREVIOUS
Upgrade Splunk App for Enterprise Security
  NEXT
Dashboard requirements matrix

This documentation applies to the following versions of Splunk® Enterprise Security: 3.1, 3.1.1, 3.2, 3.2.1, 3.2.2, 3.3.0, 3.3.1, 3.3.2, 3.3.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters