Solved: How to fix "Enum Mismatch beyond error threshold" ...

cweiliou_splunk · ‎04-27-2019

I am using UBA and I am seeing below error in "Splunk Direct Data Source Enum Check" INDICATOR of my page "Home" > "Health Monitor" > "Data Quality Indicator".

Enum Mismatch beyond error threshold.
Stop the affected data source and make sure UBA is able to understand enum fields. Take one of two actions - 1) modify SPL to make sure values in enum fields should match what's expected in normalize.rules file 2) update normalize.rules to enable UBA to understand incoming data.
Status code ENUM_MISMATCH_BAD.

Any idea how to fix it ?

cweiliou_splunk · ‎04-27-2019

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")

View solution in original post

cweiliou_splunk · ‎04-27-2019

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")

How to fix "Enum Mismatch beyond error threshold" error ?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!