Splunk® Enterprise Security

Troubleshoot Splunk Enterprise Security

The documentation for Splunk Enterprise Security versions 8.0 and higher have been rearchitected from previous versions, causing some links to have redirect errors. For documentation on versions 7.x and earlier, see Splunk Enterprise Security 7.x documentation.

Troubleshoot risk modifiers in Splunk Enterprise Security

Manually fix the default risk modifiers in the savedsearches.conf configuration file if an automatic migration of the risk modifiers for event based detections fails in Splunk Enterprise Security.

Issue

Default risk modifiers are not automatically added to the event-based detections in Splunk Enterprise Security. If the migration mod input fails to process and remove invalid risk modifiers from searches, the following error message appears in the UI: Failed to migrate the following detections....

Cause

Automatic migration of the default risk modifiers failed.

Solution

Follow these steps to add the default risk modifiers in event-based detections:

  1. In Splunk Enterprise Security, determine which searches have not been updated successfully by running the following search:

    | rest /servicesNS/-/-/saved/searches splunk_server=local count=0 | search action.risk.param._risk = "[]" OR action.risk.param._risk = "[{\"risk_object_field\":\"\",\"risk_object_type\":\"\",\"risk_score\":1}]" | table action.correlationsearch.label, action.risk.param._risk

  2. Navigate to Settings then Data Inputs and then Configuration checker.
  3. Locate the confcheck_es_migrate_faulty_riskmodifiers input.
  4. Enable the mod input. If successful, the input cleans up and disables itself automatically within a minute.

    If the input does not disable after about 10 minutes, then manually disable the input.

  5. Run the following search again to confirm if the searches have been successfully updated:

    | rest /servicesNS/-/-/saved/searches splunk_server=local count=0 | search action.risk.param._risk = "[]" OR action.risk.param._risk = "[{\"risk_object_field\":\"\",\"risk_object_type\":\"\",\"risk_score\":1}]" | table action.correlationsearch.label, action.risk.param._risk

    If working correctly, the search returns 0 results.

If the search returns more than 0 results, follow these additional steps:

  1. Identify the searches that still contain invalid entries by running the following search:

    | rest /servicesNS/-/-/saved/searches splunk_server=local count=0 | search NOT action.risk.param._risk = "[]" OR action.risk.param._risk = "[{\"risk_object_field\":\"\",\"risk_object_type\":\"\",\"risk_score\":1}]" | table action.correlationsearch.label, action.risk.param._risk, eai:acl.app

  2. Remove the invalid entries by running the following cURL command for each search obtained from step 1 : 
    curl -k -v -u {username:password} {instanceURL:splunkdport}/{context}/{app}/saved/searches/{search_name} -d action.risk.param._risk=''
    For more details, see the saved/searches API in the Splunk Enterprise REST API Reference Manual.
  3. Verify that there are no invalid searches by rerunning the search from step 1. The search should return 0 results.
Last modified on 08 January, 2025
Troubleshoot detections with special characters   Troubleshoot performance issues by editing saved searches in Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 8.0.2

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters