I have noticed the same thing, but in the Splunk_TA_windows app. I guess the same logic applies to the Infra as well. There is an EVAL in props.conf that sets the field ta_windows_action based on the value of Status. And if there is no match a default value of "failure" is set. So the meaning of "failure" is basically "failure to set a proper value in this field ". Which, in my opinion, is confusing. It should say "unknown" or just leave it blank. Also the coverage of this field in the logs seems very low so a lot of the events has this field set to failure.
This is the EVAL statement in the Windows-app:
EVAL-ta_windows_action = case(upper(Status) == "0XC000006F", "denied", upper(Status) == "0XC0000070", "denied", upper(Status) == "0XC000015B", "denied", upper(Status) == "0XC0000234", "denied", upper(Status) == "0XC0000064", "unknown", upper(Status) == "0XC0000133", "error", upper(Status) == "0XC0000225", "error", 1=1 , "failure")
My way forward is to create an override of this and changing the text "failure" to "unknown" instead.
... View more
Support confirmed that this is a bug (SPL-182112) for S2S communication between 8.x nodes. In my case I had issues between SH and INX. The recommendation was to set negotiateProtocolLevel=5 to downgrade the protocol version to 7.3. This can be done in the [tcpout] stanza on the sending node (SH), or in the [splunktcp] stanza on the receiving end (INX).
... View more