Splunk® User Behavior Analytics

Administer Splunk User Behavior Analytics

Recover Splunk UBA after an outage

You can recover Splunk UBA after a planned or unplanned outage. Complete the steps described in the following scenarios:

Shut down Splunk UBA for a planned outage

Perform the following steps to shut down Splunk UBA for a planned outage:

  1. In Splunk UBA, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
  4. Stop all services.
    /opt/caspida/bin/Caspida stop-all
  5. Once step 4 completes successfully, SSH into each UBA node (if running a distributed UBA environment) then perform the following command to shutdown.
    sudo shutdown –h now

Restart Splunk UBA after an outage

After a planned or unplanned outage, perform these steps to restart all Splunk UBA services:

  1. From the command line, use SSH to log in to the Splunk UBA management node as the caspida user.
  2. Escalate caspida privileges to sudo.
    sudo su - caspida
  3. If running a distributed UBA environment, ensure each UBA node is accessible by SSH before continuing.
  4. Start all services.
    /opt/caspida/bin/Caspida start-all
  5. Log in to the Splunk UBA web interface.
  6. Select Manage > Data Sources.
  7. Start each data source.

Restart Splunk UBA and restart all services

Perform the following tasks to shut down Splunk UBA services, restart the server, and restart all Splunk UBA services:

  1. In Splunk UBA menu bar, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  4. Stop all services.
    /opt/caspida/bin/Caspida stop-all
  5. Once step 4 completes successfully, SSH into each UBA node (if running a distributed UBA environment) then perform the following command to restart.
  6. Restart Splunk UBA.
    sudo shutdown –r now
  7. Verify that each Splunk UBA node (if applicable) is back online with either SSH or ping.
    ping <UBA-hostname>
  8. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  9. Escalate caspida privileges to sudo.
    sudo su - caspida
  10. If running a distributed UBA environment, ensure each UBA node is accessible by SSH before continuing.
  11. Start all services.
    /opt/caspida/bin/Caspida start-all
  12. Log in to the Splunk UBA web interface.
  13. Select Manage > Data Sources.
  14. Start each data source.

Restart Splunk UBA Services

Perform the following tasks to restart Splunk UBA services:

Restarting the Splunk UBA server does not restart the Splunk UBA services.

  1. In Splunk UBA, select Manage > Data Sources.
  2. Stop each running data source.
  3. From the command line, use SSH to log in to the Splunk UBA management server as the caspida user.
  4. Stop all services.
    /opt/caspida/bin/Caspida stop-all
  5. After stop-all has completed, restart all services.
    /opt/caspida/bin/Caspida start-all
  6. Log in to the Splunk UBA web interface.
  7. Select Manage > Data Sources.
  8. Start each data source.
Last modified on 15 December, 2023
Clean up the standby system if you accidentally started Splunk UBA services   Monitor your Splunk UBA deployment directly from Splunk Enterprise

This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.1.0, 5.1.0.1, 5.2.0, 5.2.1, 5.3.0, 5.4.0, 5.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters