Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Recover Splunk UBA after an outage

Recover Splunk UBA after a planned or unplanned outage.

Shut down Splunk UBA for a planned outage

Perform the following tasks to shut down Splunk UBA for a planned outage:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
  4. Stop all services.
    /opt/caspida/bin/Caspida stop-all
  5. Shut down Splunk UBA.
    sudo shutdown –h now

Restart Splunk UBA after an outage

After a planned or unplanned outage, restart all Splunk UBA services.

  1. From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
  2. Escalate caspida privileges to sudo.
    sudo su - caspida
  3. Start the containers.
    /opt/caspida/bin/Caspida setup-containerization
  4. Start all services.
    /opt/caspida/bin/Caspida start-all
  5. Log in to the Splunk UBA web interface.
  6. Select Manage > Data Sources.
  7. Start each data source.

Restart Splunk UBA and restart all services

Perform the following tasks to shut down Splunk UBA services, restart the server, and restart all Splunk UBA services.

  1. In Splunk UBA menu bar, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  4. Stop all services.
    /opt/caspida/bin/Caspida stop-all
  5. Restart Splunk UBA.
    sudo shutdown –r now
  6. Verify that Splunk UBA is back online.
    ping <UBA-hostname>
  7. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  8. Escalate caspida privileges to sudo.
    sudo su - caspida
  9. Start the containers.
    /opt/caspida/bin/Caspida setup-containerization
  10. Start all services.
    /opt/caspida/bin/Caspida start-all
  11. Log in to the Splunk UBA web interface.
  12. Select Manage > Data Sources.
  13. Start each data source.

Restart Splunk UBA Services

Perform the following tasks to restart Splunk UBA services. Restarting the Splunk UBA server does not restart the Splunk UBA services.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  4. Stop all services.
    /opt/caspida/bin/Caspida stop-all
  5. After stop-all has completed, restart all services.
    /opt/caspida/bin/Caspida start-all
  6. Log in to the Splunk UBA web interface.
  7. Select Manage > Data Sources.
  8. Start each data source.
Last modified on 11 October, 2021
PREVIOUS
Clean up the standby system if you accidentally started Splunk UBA services
  NEXT
Monitor your Splunk UBA deployment directly from Splunk Enterprise

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.4.1, 5.0.5, 5.0.5.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters