All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix "Enum Mismatch beyond error threshold" error ?

cweiliou_splunk
Splunk Employee
Splunk Employee
‎04-27-2019 12:28 AM

I am using UBA and I am seeing below error in "Splunk Direct Data Source Enum Check" INDICATOR of my page "Home" > "Health Monitor" > "Data Quality Indicator". 

Enum Mismatch beyond error threshold.
Stop the affected data source and make sure UBA is able to understand enum fields. Take one of two actions - 1) modify SPL to make sure values in enum fields should match what's expected in normalize.rules file 2) update normalize.rules to enable UBA to understand incoming data.
Status code ENUM_MISMATCH_BAD.

Any idea how to fix it ?

Reply
1 Solution
Solved! Jump to solution
Solution

cweiliou_splunk
Splunk Employee
Splunk Employee
‎04-27-2019 01:41 AM

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")

View solution in original post

Reply
Solved! Jump to solution
Solution

cweiliou_splunk
Splunk Employee
Splunk Employee
‎04-27-2019 01:41 AM

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...