Hi everyone,
I’m investigating an issue where UBA (User Behavior Analytics) data in Splunk appears to have stopped ingesting or processing after October 11, 2025, even though today is October 14, 2025.
As shown in the screenshot, I ran this search:
index=ueba earliest=-7d | stats count by _time | sort - _timeThe results show the latest _time entries are from 2025-10-11, with no events recorded on the 12th, 13th, or 14th. The time range of the search correctly spans from Oct 7 to Oct 14, so it’s not a time filter issue.
I’ve verified that:
- Other indexes are receiving data normally.
- The UBA app is enabled and licensed.
- No recent configuration changes were made to UBA or its inputs.
Has anyone experienced this before? Could this be related to:
- A known UBA ingestion delay or bug?
- Timezone misconfiguration?
- Data pipeline failure (e.g., forwarder, indexer, or UBA collector)?
- Scheduled maintenance or throttling?
Any guidance or troubleshooting steps would be greatly appreciated!
Thanks in advance!
