Troubleshoot the Splunk Add-on for Splunk Attack Analyzer

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

Inputs or Configuration page not loading after installation

If the Inputs or Configuration page isn't loading after installation, check if either page shows a warning.

Cause

The web cache might not have updated.

Solution

1. Clear the cache by navigating to http://<splunk-server>:8000/en-US/_bump.
2. If the Configuration page is loading but the Inputs page isn't loading, delete any connections and recreate them.

Events don't appear after configuring an input

If events don't appear after configuring an input, perform the following steps to find the issue.

Solution

1. Confirm that the input appears on the Inputs page and is enabled.
2. Confirm the connection is configured on the Configuration page and has a valid API key.
3. Use the following Search Processing Language (SPL) search and replace saa_input with the name of the input you are troubleshooting to check for any mentions of 401, which might indicate authentication issues, or if there are any mentions of timeouts, which might indicate network connectivity issues.

   index=_internal source="/opt/splunk/var/log/splunk/Splunk_TA_SAA_*" | eval input_name = "saa_input" | where source="/opt/splunk/var/log/splunk/Splunk_TA_SAA_".input_name.".log" | search event=* | rex field=_raw "index=(?<target_index>.*?)\s" | sort -_time | table _time, pid, event, account, target_index

No connection to Splunk Attack Analyzer

If there is no connection to Splunk Attack Analyzer, perform the following steps to find the issue.

Cause

The Splunk Add-on for Splunk Attack Analyzer won't ingest any events from Splunk Attack Analyzer if the proxy is configured incorrectly.

Solution

1. Check if the proxy details are configured and enabled on the Configuration page.
2. Check whether the modular input is able to load proxy configuration settings on startup using the following search. The event in the logs indicates what settings are loaded.

   index=_internal source="/opt/splunk/var/log/splunk/Splunk_TA_SAA_*" | eval input_name = "saa_input" | where source="/opt/splunk/var/log/splunk/Splunk_TA_SAA_".input_name.".log" | search event="retrieved proxy settings"

Duplicate data is ingested from Splunk Attack Analyzer

If you are seeing duplicate data from Splunk Attack Analyzer, use the following search to find the issue.

Cause

Occasionally, Splunk Attack Analyzer data might be duplicated within Splunk Attack Analyzer.

Solution

Check whether or not the modular input is loading checkpoint information by running the following search.

index=_internal source="/opt/splunk/var/log/splunk/Splunk_TA_SAA_*" | eval input_name = "x1" | where source="/opt/splunk/var/log/splunk/Splunk_TA_SAA_".input_name.".log" | search checkpoint

The adaptive response action isn't dispatched to Splunk Attack Analyzer

If the adaptive response action isn't dispatched to Splunk Attack Analyzer, perform the following steps to find the issue.

Solution

1. Check whether the issue appears only when using a saved action, or if it also appears when running an action manually. If the issue appears when using a saved action, check that the correct token is used in the URL field. See Use tokens in email notifications in the Splunk Enterprise Alerting Manual for more information.
2. Check if the alert action can be dispatched manually by running the following search.

   | makeresults n=1 | sendalert saa_alert_submit_url param.account="mykey" param.url="https://google.com"

3. In Splunk Enterprise Security, from the notable, select View Adaptive Response Invocations to check if any logs indicate failure.
4. Check the mod action logs to see whether there are any exceptions raised for the saa_alert_submit_url action by running the following search.

   tag=modaction tag=modaction action_name=saa_alert_submit_url