All Apps and Add-ons

Splunk App for Microsoft SharePoint: Sites missing in SPSite Lookup

christian_demko
Engager

Hi all,

I realize this app is no longer officially supported, but I'm hoping someone can help shed some light on an issue I'm having.
I've set up the SharePoint App and TA in a Splunk Enterprise environment (Splunk: 6.4.2; SharePoint: 2010), following the guide in the "Details" section of the app, as well as applying the fixes discussed in other topics in this forum and the "Issues" tab of the app's github repo. As far as I can tell, the app is running correctly.
Note: One thing I did not do, per the guide's recommendations, is include the "cs-host" field in the IIS logs. That was a design choice by our SharePoint administrators. I don't believe it impacts my issue, but I figured I should mention it anyway.

Unfortunately, when I look at the collection of sites in SPSite.csv, the number of sites for which I have a proper entry is significantly smaller than the number of sites that should exist. I can confirm this by looking at the "mssharepoint-audit" events pulled in by the app, which shows logs for about 135 unique Site IDs in the past 24 hours. However, the SPSite.csv list only contains entries for 7 sites!
I know very little about SharePoint and have been working with our SP admins to figure out why this is happening, but none of us can figure it out. All they can tell me is that the 7 sites we're getting data for are basically unused. This is confirmed by the fact that the audit logs and IIS logs only show service accounts for SharePoint touching the sites; No regular users.

In testing, I had a similar issue but was still able to get inventory entries for most of the active sites. In production, I don't get any of them. As far as I can tell, permissions are set correctly (again, following the guide on Splunkbase; I have no knowledge of how different our SharePoint farm is from the app developer's, and my SP admins are unaware of any difference in permissions between sites). The only lead I have is an error message in the splunkd.log file that seems to appear multiple times a second, every second, which reads:

Unable to get user by Id -1: Microsoft.SharePoint.SPException Microsoft.SharePoint.SPException: User cannot be found.
    at Microsoft.SharePoint.SPUserCollection.GetByID(Int32 id)
    at Splunk.SharePoint2010.Audit.SplunkAuditEntry.get_UserName()

Unfortunately, I have no idea what to do with this error. Any help on this issue would be greatly appreciated.

christian_demko
Engager

I don't really consider this to be a suitable answer, but I figured I would share this anyway in case someone ends up having the same problem. I was able to make two PowerShell commands that can be used to generate an SPSite.csv file manually that contains probably all of the relevant fields to make the app useful. Note: This workaround may be the victim of "over-engineering".

This first command needs to be run on a SharePoint server as a farm administrator user (access to the SP database):

Get-SPSite -Limit All | Export-CSV -NoTypeInformation SPSite-Export.csv

This second command can be run on that export to reformat it into one used by the SharePoint app. Note that a number of static values are being populated here, like the FarmId (which I blanked out in my example). You would need to update these fields to match your environment. Some of them I just had to guess on.

Import-CSV .\spsite-export.csv | Select @{Name="FarmId";Expression={'YOUR-UNIQUE-FARM-GUID'}},Id,_time,@{Name="Action";Expression={'Add'}},Url,AdministrationSiteType,AllowDesigner,AllowMasterPageEditing,AllowRevertFromTemplate,AllowRssFeeds,AllowUnsafeUpdates,AuditFlags,UseAuditFlagCache,EffectiveAuditMask,AuditLogTrimmingCallout,@{Name="AuditLogTrimmingRetention";Expression={'0'}},@{Name="AverageResourceUsage";Expression={'0'}},BrowserDocumentsEnabled,CatchAccessDeniedException,@{Name="CertificationDate";Expression={Get-Date -date $_.CertificationDate -Format u}},ContentDatabaseId,CurrentResourceUsage,DeadWebNotificationCount,HostHeaderIsSiteName,HostName,IISAllowsAnonymous,Impersonating,@{Name="LastContentModifiedDate";Expression={Get-Date -date $_.LastContentModifiedDate -Format u}},@{Name="LastSecurityModifiedDate";Expression={Get-Date -date $_.LastSecurityModifiedDate -Format u}},LockIssue,Port,PortalName,PortalUrl,Protocol,QuotaID,InvitedUserMaximumLevel,StorageMaximumLevel,StorageWarningLevel,@{Name="UserCodeMaximumLevel";Expression={'0'}},@{Name="UserCodeWarningLevel";Expression={'0'}},ReadLocked,ReadOnly,ResourceQuotaExceeded,ResourceQuotaExceededNotificationSent,ResourceQuotaWarningNotificationSent,RootWebId,ServerRelativeUrl,ShowURLStructure,SystemAccount,SyndicationEnabled,TrimAuditLog,UIVersionConfigurationEnabled,Bandwidth,DiscussionStorage,Hits,Storage,Visits,UserAccountDirectoryPath,UserCodeEnabled,UserDefinedWorkflowsEnabled,WebApplicationId,WriteLocked,Zone,Owner,SecondaryContact | Export-CSV -NoTypeInformation SPSite.csv
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...