
Known issues in Splunk UBA
This version of Splunk UBA has the following known issues and workarounds.
Date filed | Issue number | Description |
---|---|---|
2022-04-14 | UBA-15608, UBA-14502 | Exporting >4.3K Anomalies table results - crashes UBA UI (Permanent fix for UBA-14502) |
2022-04-14 | UBA-15607, UBA-14237 | Unable to create Anomaly Table filter or AAR specifying filter for Specific Devices when specifying over 20 CIDR/s (Permanent fix for UBA-14237) |
2022-02-14 | UBA-15364 | Spark HistoryServer running out of memory for large deployments with error: "java.lang.OutOfMemoryError: GC overhead limit exceeded" Workaround: Open the following file to edit on the Spark History Server: /var/vcap/packages/spark/conf/spark-env.sh
You can check deployments.conf field spark.history to find out which node runs the Spark History Server. Update the following setting to 3G:
Afterwards, restart the spark services: /opt/caspida/bin/Caspida stop-spark && /opt/caspida/bin/Caspida start-spark |
2022-01-31 | UBA-15328 | Running replication setup on 20 node clusters fails with "psql: could not connect to server: Connection refused" Workaround: Contact Support for the revised replication setup scripts. |
2022-01-25 | UBA-15321 | Upgrade script for ubuntu systems need revised commands to install external packages correctly Workaround: If the upgrade to UBA 5.0.5 failed in a lockdown environment with no internet connection, perform the following steps on the failed UBA node:
|
2022-01-21 | UBA-15311 | Upgrade Standby cluster fails "ERROR: cannot execute UPDATE in a read-only transaction." Workaround: If the upgrade fails with the following error: "ERROR: cannot execute UPDATE in a read-only transaction." Perform the following steps on the standby system:
|
2022-01-17 | UBA-15302 | "Error from /uba/watchlistChanged" even when an entity is added successfully to the WatchList |
2021-12-13 | UBA-15192, UBA-15120 | Customizations to Splunk_TA_nix/local/inputs.conf breaks patch_uba.sh Workaround: Any customizations to the Splunk_TA_nix/local/inputs.conf will need to be backed up temporarily prior to the upgrade, and then re-added after upgrade completes. |
2021-11-18 | UBA-15139 | Postgresql-client-10 missing libpq5 (>=10.17) Workaround: Libpq5 is not required for the operation for UBA and no later version is available for Ubuntu 16. It can be suppressed by performing the following:
|
2021-10-14 | UBA-14954, UBA-15198 | Postgresql 10.17 missing libjson-perl Workaround: Prior to running the patch_uba.sh script. Customer environment on all nodes should have libjson-perl installed. Perform the following steps:
|
2021-10-11 | UBA-14927, UBA-15186 | UBA 5.0.5 upgrade script fails to upgrade forwarder to 8.2.1 Workaround: Run the following command if you have Splunk forwarding disabled on a single node: /opt/splunk/bin/splunk version --accept-license --answer-yes --no-prompt --seed-passwd caspida123 You must use the caspida123 password if you want to set up Splunk forwarding at a later time. If you have Splunk forwarding enabled in a multi-node environment, perform the following tasks:
|
2021-09-29 | UBA-14894 | UBA EPS drops after Splunk 8.2.1/8.2.2 upgrade on search heads used by data sources |
2021-09-28 | UBA-14890 | ClassCastException errors in the LateralMovementDetection Model |
2021-08-30 | UBA-14755 | Replication.err logging multiple errors - Cannot delete snapshot s_new from path /user: the snapshot does not exist. |
2020-06-29 | UBA-14199, UBA-12111 | Impala jdbc connections leak Workaround:
|
2020-04-07 | UBA-13804 | Kubernetes certificates expire after one year Workaround: Run the following commands on the Splunk UBA master node: /opt/caspida/bin/Caspida remove-containerization /opt/caspida/bin/Caspida setup-containerization /opt/caspida/bin/Caspida stop-all /opt/caspida/bin/Caspida start-all |
2019-08-29 | UBA-13020 | Anomalies migrated from test-mode to active-mode won't be pushed to ES |
2019-08-06 | UBA-12910 | Splunk Direct - Cloud Storage does not expose src_ip field Workaround: When ingesting Office 365 Sharepoint/OneDrive logs through Splunk Direct - Cloud Storage, add an additional field mapping for src_ip in the final SPL to be mapped from ClientIP (| eval src_ip=ClientIP ). Make sure to add src_ip in the final list of fields selected using the fields command. For example:
| fields app,change_type,dest_user,file_hash,file_size,object,object_path,object_type,parent_category,parent_hash,sourcetype,src_user,tag,src_ip |
PREVIOUS Welcome to Splunk UBA 5.0.5.1 |
NEXT Fixed issues in Splunk UBA |
This documentation applies to the following versions of Splunk® User Behavior Analytics: 5.0.5.1
Feedback submitted, thanks!