All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fix "Enum Mismatch beyond error threshold" error ?

cweiliou_splunk
Splunk Employee
Splunk Employee
‎04-27-2019 12:28 AM

I am using UBA and I am seeing below error in "Splunk Direct Data Source Enum Check" INDICATOR of my page "Home" > "Health Monitor" > "Data Quality Indicator". 

Enum Mismatch beyond error threshold.
Stop the affected data source and make sure UBA is able to understand enum fields. Take one of two actions - 1) modify SPL to make sure values in enum fields should match what's expected in normalize.rules file 2) update normalize.rules to enable UBA to understand incoming data.
Status code ENUM_MISMATCH_BAD.

Any idea how to fix it ?

Reply
1 Solution
Solved! Jump to solution
Solution

cweiliou_splunk
Splunk Employee
Splunk Employee
‎04-27-2019 01:41 AM

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")

View solution in original post

Reply
Solved! Jump to solution
Solution

cweiliou_splunk
Splunk Employee
Splunk Employee
‎04-27-2019 01:41 AM

The error means that you have some invalid values in some of your data source's fields.
If you go to the page "Home" > "Health Monitor" > "Data Quality Indicator" > "Data Source Detials" of your data source showing the errors then you should be able to find the problematic fields by adding "?system" to your URL.
If you have a URL like the below one :

https://xxxx/#XmsxyOm.

Then you should be able to see the problematic fields after adding "?system" in between "/" and "#" as below

https://xxxx/?system#XmsxyOm.

After adding "?system", "Data Source Details" page should show "Splunk Direct Enum Mismatch" area which should mention the fields which are having invalid value issue in "ENUM FIELD" column.
For example, if you are getting errors with the "action" field of your "McAfee_NIPS" data source then you should see "action" in "ENUM FIELD" column and the invalid values in "INVALID VALUE" column and number of events for each invalid value in "EVENTS" column.

As mentioned in below documentation, UBA accepts only "allowed" and "blocked" for "action" field
https://docs.splunk.com/Documentation/UBA/4.3.0/GetDataIn/CIMtoUBAfields#Endpoint_category

action Y The action taken by the endpoint. allowed, blocked

But if you have values such as "Inconclusive", "Attack Blocked" then you will need to map those values to either "allowed" or "blocked" by adding "eval" to your data source's SPL.
Below is an example of the eval clause but you will need to re-write it to fit your own case.

eval action=case(action="deferred" OR like(lower(action),"block%"),"blocked",action="notified","allowed",1=1,"allowed")
Reply
Get Updates on the Splunk Community!

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...