Splunk® Enterprise Security

Use Splunk Enterprise Security Risk-based Alerting

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on version 8.0, see Splunk Enterprise Security documentation homepage.
This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Troubleshoot upgrade issues with risk factors

Issue

 Upgrading Splunk Enterprise Security might not update the Risk data model Risk.json file and display the following error message:
Error in "DataModelEvaluator". JSON for datamodel risk is invalid.

Cause

Edits to the risk factors using the Risk Factor Editor modifies the risk_factors.conf configuration file and creates a local copy of the Risk data model on each of the Splunk Enterprise Security search head cluster members when the deployer pushes the updated risk data model. The local copy of the Risk data model in the /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json directory might be different from the default copy of the Risk data model in the /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json directory.

Solution

Deployment type Steps
Splunk Cloud Platform deployments Contact Splunk Support and file a ticket on the Splunk Support Portal. See Support and Services.

Splunk Support removes the local copy from all members of the search head cluster. Splunk Support copies the /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json default file from an updated Splunk Enterprise Security instance and overwrites the local copy with the /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json local file.

On-premises deployments
  1. Delete the local copy of the Risk.json file.
  2. Restart the search head cluster.
  3. Ensure that all risk factors, if customized, are available in the Risk.json file.

See also

For more information about risk factors, see the product documentation.

Create risk factors in Splunk Enterprise Security

Manage risk factors in Splunk Enterprise Security

Default risk factors for guidance to create risk factors in Splunk Enterprise Security

Last modified on 28 March, 2023
Creating risk notables using the behavioral analytics service   Troubleshoot common issues with risk-based alerting

This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters