Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshooting risk based alerting in Splunk Enterprise Security

Following are some issues you might face while working with risk based alerting:

Upgrade issues with risk factors

Issue

 Upgrading Splunk Enterprise Security might not update the Risk data model Risk.json file and display the following error message: Error in "DataModelEvaluator". JSON for datamodel risk is invalid.

Cause

Edits to the risk factors using the Risk Factor editor modifies the risk_factors.conf configuration file and creates a local copy of the Risk data model on each of the Enterprise Security search head cluster members when the deployer pushes the updated risk data model. The local copy of the Risk data model /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json might be different from the default copy of the Risk data model /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json.

Solution

On-prem:

Delete the local copy of the Risk.json file. Restart the search head cluster. Ensure that all risk factors, if customized, are available in the Risk.json file.

On Cloud:

Contact Splunk Support and file a ticket on the Splunk Support Portal. See Support and Services.

Splunk Support helps to remove the local copy from all the members of the search head cluster. Splunk Support copies the default file /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json from an updated Enterprise Security instance and overwrites the local copy /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json.

Last modified on 28 November, 2022
 

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters