How do you use Splunk to search within document te...

roseneric4 · ‎10-10-2018

Is it possible to use Splunk as search engine that uses a wiki server and SharePoint as its data sources? It must search within document text for example the contents of the files in a SharePoint document library.

The idea is to create a dashboard with a nice simple search interface that brings back the "articles" highlighting the key term and filtering down based on certain functional or application name etc.

sduff_splunk · ‎10-10-2018

Splunk does not have a web-crawler component, you would need to fetch all the documents from SharePoint through some means.

Unfortunately, the Splunk Add-on for Microsoft Office 365 only fetches the audit logs for SharePoint, not the actual data. There may be some way to use the Splunk Add-on for Microsoft Cloud Services to fetch the data from Azure Storage Tables, but I am not 100% certain if SharePoint data is accessible via that means.

It seems like the 'official' way is to use one of the methods described at https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/sharepoint-net-server-csom-jsom-and-rest-... to fetch the data, most likely the REST API. You would need to write a script to do the following:

Get a list of all documents, via http://server/site/_api/lists
For each list, get all that lists items, via http://server/site/_api/lists/getbytitle('listname')/items
Process each of those items and the metadata, and index that in Splunk.

This page probably describes the details of what you'll need to develop.
https://docs.microsoft.com/en-us/sharepoint/dev/sp-add-ins/get-to-know-the-sharepoint-rest-service

How do you use Splunk to search within document text of wiki server and SharePoint data sources?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...