Splunk® Enterprise Security

Detect Unknown Threats with Behavioral Analytics Service

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Leverage operational logging for self-service supportability

You can view event parsing errors by querying the security_application_logs index from Splunk Mission Control. For example, if you are expecting to see certain detections in your environment but the detections are not appearing, you can search for parsing errors to help you troubleshoot. There might be a case where a data source is not supported, or the events are not in a required format or are missing specific fields.

The table summarizes the errors that are logged. Click on a column header to sort the table in alphabetical order using the entries in the selected column. Contact customer support if you are not able to remediate any issues you encounter.

Error Level Description and remediation
INTERNAL_ERROR ERROR There was an unexpected error while processing the event.
INVALID_INPUT ERROR There was an internal error. The event could not be processed.
INVALID_TENANT ERROR There was an internal error. The tenant name could not be extracted from the raw event.
NO_ENTITIES INFO The event was dropped because no valid users or devices were found.
NO_PARSING_RESULT WARN The event was dropped because it did not contain the key fields required by behavior analytics service. Check that your source type matches the event type, or check the format of the raw event.
NO_RESOLVER_OR_TRAINER INFO The event was successfully parsed but could not be mapped to a supported CIM data model.
PARSING_ERROR ERROR The event was dropped because of a parsing error. Check that the event is in a valid format.

Perform the following steps to query the security_application_logs index:

  1. Click Search in the Splunk Mission Control menu bar.
  2. Enter the desired search In the search field.

The following example search returns a summary of how many ERROR, INFO, and WARN messages are logged:

| from security_application_logs | stats count() by tenant, status

The following example search returns all parsing messages logged for the WinEventLog source:

| from security_application_logs | where extracted_sourceType="WinEventLog"

Last modified on 05 January, 2023
Configure Windows event logging to ensure the proper events are logged   Generate a sample detection in behavioral analytics service

This documentation applies to the following versions of Splunk® Enterprise Security: 7.0.1, 7.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters