Splunk® User Behavior Analytics Monitoring App

Splunk UBA Monitoring App

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Example: Troubleshoot a data source

Let's examine a WARN status on the Data Sources KPI.

The WARN status from the Data Sources KPI means that one or more data sources are experiencing an issue. Click the WARN status to open the KPIs page.

This screen image shows the Splunk UBA Monitoring App home page. The Data Sources indicator is yellow and showing a status of WARN.

Examine the KPIs for the data sources

We can see on the screen that the Splunk Data Source Lag indicator is the one giving us the warning.

The graph in the Indicator Failure Trend shows that over the last 24 hours there has been a fairly consistent warning status for this data source.

This screen image shows the KPIs page for the Data Sources indicator in the Splunk UBA Monitoring App. The time range shows Last 24 hours. In the table in the middle of the page, the Data Source module and Splunk Data Source Lag indicator is showing a status of WARN.

Expand the time range to gather more information

Change the time range to Last 7 days.

An additional data source, HR data retrieval time, has also generated warnings over the past week. The value for this data source is null which likely means that no data is available. Examine your HR data ingestion to continue troubleshooting this issue. See Validate HR data configuration before adding other data sources in the Get Data into Splunk User behavior Analytics manual.

The Splunk Data Source Lag shows Multiple Values in the Values column. In the Indicator Failure Trend graph, click anywhere in the shaded yellow area or click on the yellow WARN box next to the graph to view raw events in the search page.

This screen image shows the KPIs page for the Data Sources indicator in the Splunk UBA Monitoring App. The time range shows Last 7 days. In the table in the middle of the page, the Data Source module shows two indicators, Splunk Data Source Lag and HR data retrieval time, are both showing a status of WARN.

Analyze the raw events

In the search page, the first event comes from the dataSourceLagMonitor. Expand the statusValue and value properties to view additional information.

This screen image shows the Search page in Splunk with a few raw events. The relevant details on the page are described in the text immediately following this image.

View expanded information in the raw events

Now you can view the data sources being tracked by the dataSourceLagMonitor process. Examine the ones with higher numbers to continue your investigation.

This screen image shows the Search page in Splunk with a few raw events. The relevant details on the page are described in the text immediately following this image.

Remediating the issues with the data sources

Usually when the Splunk Data Source Lag generates warnings or errors, it means that data is coming into Splunk UBA at a higher rate than can be processed. Consider the following remedies:

Last modified on 30 September, 2021
PREVIOUS
Examine Splunk UBA system health with the Splunk UBA Monitoring App
  NEXT
Example: Troubleshoot an output connector

This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.0.0, 1.1, 1.1.1, 1.1.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters