Unable to select Scoring Field in Behavioral Profi...

varsha2233 · ‎08-11-2025

Hello Splunk Community,

I’m working in the Behavioral Profiling app to create an Anomaly Scoring Rule.
In the Define Indicator Source step, I have successfully selected my Behavioral Indicator (e.g., "Amount Transaction"), but the Scoring Field dropdown is disabled / showing a red mark, and I’m unable to select any value.

Details:

Behavioral Indicator: Amount Transaction

Data is visible when I run the same SPL in Search & Reporting.

Time Range: Last Day (also tried other ranges)

Using the default fields from my dataset (contains account, amount, _time).

The Scoring Field dropdown does not show any options.

What I have tried:

Verified the field exists in my data.

Changed the Time Range to ensure data is available.

Recreated the Behavioral Indicator.

Question:
What specific requirements or field types does the Scoring Field expect?
Do I need to modify the Behavioral Indicator definition or SPL so that this dropdown is populated?

Any guidance or examples would be greatly appreciated.

Thanks in advance!

The Data that I have provided for profiling is as follows :

imestamp,account,amount
2025-08-11 11:25:56,ACC1001,2500
2025-08-11 11:25:56,ACC1001,3000
2025-08-11 11:25:56,ACC1001,5000
2025-08-11 11:25:56,ACC1002,1500
2025-08-11 11:25:56,ACC1002,2000
2025-08-11 11:25:56,ACC1003,8000
2025-08-11 11:25:56,ACC1003,4000
2025-08-11 11:25:56,ACC1004,12000
2025-08-11 11:25:56,ACC1005,600
2025-08-11 11:25:56,ACC1005,750
2025-08-11 11:25:56,ACC1006,5000
2025-08-11 11:25:56,ACC1006,7000

Unable to select Scoring Field in Behavioral Profiling - Anomaly Scoring Rule

configuration

troubleshooting

using Splunk Enterprise

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?