Solved: Where or into which System Index - Does Splunk wr...

PowerPacked · ‎03-14-2018

Hi All

I would like to know into which system internal index, Source - does Splunk write logs about Orphaned Searches.

I know there is a Rest API Search which can show all Orphaned Searches but I would like to see this data in Internal Indexes as I am creating Some KPI's on it.

Thanks

gjanders · ‎03-16-2018

Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"

If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...

Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:

index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message 
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

gjanders · ‎03-16-2018

Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"

If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...

Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:

index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message 
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

tiagofbmm · ‎03-14-2018

I don't think Splunk keeps that info in Internal Indexes. You can still create your KPIs on that matter by using the command | rest and gather the data you need.

Why do you need the data to come from the indexers if you can still access it in SPL by | rest ?

Where or into which System Index - Does Splunk write logs about Orphaned Searches

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!