Example: Troubleshoot an output connector
Let's examine a BAD status for the Output Connector indicator.
The BAD status means something has stopped working. Click on the status to view more information.
Examine the KPIs for the output connector
On this KPIs screen, we can highlight the BAD status in the Indicator Failure Trend and see that the event occurred between Midnight and 1:00 AM on February 6. The Health Monitor section of the page shows additional information that Splunk UBA was not able to send threat to Splunk Enterprise Security (ES).
We can examine the Splunk UBA logs for further information. Click UBA Logs in the menu bar.
Examine the Splunk UBA logs
By default, error level messages are shown on the UBA Logs page. Add WARN to the Log Level filter at the top of the page. The outputconnector.log
appears as one of the top 10 logs generating events in the system.
Click on outputconnector.log
to view more information.
Examine events in the log
You can change the time range in the Event Count Trend to narrow down the number of events you examine. Earlier in the example, we noticed issues between Midnight - 1:00 AM. Adjust the slider in the Event Count Trend to include only events between Midnight - 1:00 AM on February 6.
We see many Broken pipe
warning messages, indicating a problem with the connection in the output connector.
In this situation, you can consider the following actions:
- Check your Splunk ES instance to make sure that it is still running.
- Verify your network settings to make sure that Splunk UBA can reach your Splunk ES instance.
Example: Troubleshoot a data source |
This documentation applies to the following versions of Splunk® User Behavior Analytics Monitoring App: 1.0.0, 1.1, 1.1.1, 1.1.2, 1.1.3
Feedback submitted, thanks!