All Apps and Add-ons

How to fix "Enum Mismatch beyond error threshold" error ?

cweiliou_splunk
Splunk Employee
Splunk Employee

I am using UBA and I am seeing below error in "Splunk Direct Data Source Enum Check" INDICATOR of my page "Home" > "Health Monitor" > "Data Quality Indicator".

Enum Mismatch beyond error threshold.
Stop the affected data source and make sure UBA is able to understand enum fields. Take one of two actions - 1) modify SPL to make sure values in enum fields should match what's expected in normalize.rules file 2) update normalize.rules to enable UBA to understand incoming data.
Status code ENUM_MISMATCH_BAD.

Any idea how to fix it ?

1 Solution

cweiliou_splunk
Splunk Employee
Splunk Employee

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")

View solution in original post

cweiliou_splunk
Splunk Employee
Splunk Employee

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...