All Apps and Add-ons

How to fix "Enum Mismatch beyond error threshold" error ?

cweiliou_splunk
Splunk Employee
Splunk Employee

I am using UBA and I am seeing below error in "Splunk Direct Data Source Enum Check" INDICATOR of my page "Home" > "Health Monitor" > "Data Quality Indicator".

Enum Mismatch beyond error threshold.
Stop the affected data source and make sure UBA is able to understand enum fields. Take one of two actions - 1) modify SPL to make sure values in enum fields should match what's expected in normalize.rules file 2) update normalize.rules to enable UBA to understand incoming data.
Status code ENUM_MISMATCH_BAD.

Any idea how to fix it ?

1 Solution

cweiliou_splunk
Splunk Employee
Splunk Employee

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")

View solution in original post

cweiliou_splunk
Splunk Employee
Splunk Employee

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...