Troubleshoot upgrade issues with risk factors
Issue
Upgrading Splunk Enterprise Security might not update the Risk data model Risk.json file and display the following error message: Error in "DataModelEvaluator". JSON for datamodel risk is invalid.
Cause
Edits to the risk factors using the Risk Factor Editor modifies the risk_factors.conf configuration file and creates a local copy of the Risk data model on each of the Splunk Enterprise Security search head cluster members when the deployer pushes the updated risk data model. The local copy of the Risk data model in the /opt/splunk/etc/apps/SA-ThreatIntelligence/local/data/models/Risk.json directory might be different from the default copy of the Risk data model in the /opt/splunk/etc/apps/SA-ThreatIntelligence/default/data/models/Risk.json directory.
Solution
| Deployment type | Steps |
|---|---|
| Splunk Cloud Platform deployments | Contact Splunk Support and file a ticket on the Splunk Support Portal. See Support and Services. Splunk Support removes the local copy from all members of the search head cluster. Splunk Support copies the |
| On-premises deployments |
|
See also
For more information about risk factors, see the product documentation.
Create risk factors in Splunk Enterprise Security
Manage risk factors in Splunk Enterprise Security
Default risk factors for guidance to create risk factors in Splunk Enterprise Security
| Creating risk notables using the behavioral analytics service | Troubleshoot common issues with risk-based alerting |
This documentation applies to the following versions of Splunk® Enterprise Security: 7.1.0, 7.1.1, 7.1.2, 7.2.0, 7.3.0, 7.3.1, 7.3.2
Download manual
Feedback submitted, thanks!