All Apps and Add-ons

How do I pull SharePoint logs into Splunk ?

Path Finder

Hello Everyone ,

Found some of the question and answer pairs related to pulling SharePoint logs into Splunk and the visualizations which are dated back 2010-12 … Can any one please help in figuring out the following?

1)What are the basic steps that need to be done to pull SharePoint logs into the Splunk environment?
2)What type of log files are important to ingest ?
3)Any guidance related to dashboard things would be highly appreciated

Thank you all.

0 Karma

Engager

This is the info that I am pulling into Splunk from SharePoint 2019

  • perfmon
  • IIS logs
  • ULS logs

I am storing the IIS and ULS logs in a sharepoint index. I built out a correlation search dashboard so I don't have to use the Merge-SPLogFile cmdlet for PowerShell.

Here are the inputs.conf, props.conf and transforms.conf

IIS

[monitor://L:\inetpub\logs\LogFiles**.log]
index = sharepoint
sourcetype = iis
ignoreOlderThan = 1d

ULS

[monitor://L:\Diagnosticslog]
index = sharepoint
whitelist = .*-\d+-\d+.log$
sourcetype = MSSharePoint:2019:ULSAudit
ignoreOlderThan = 1d

PROPS.CONF

[MSSharePoint:2019:ULSAudit]
SHOULDLINEMERGE = false
CHECK
FORHEADER = false
LINE
BREAKER = ([\r\n]+)\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{2}\s
TRANSFORMS-ulscomment = ulsremovecomments
SEDCMD-cleanup = s/(...([^*]+).*?...)//g

TRANSFORMS.CONF

[ulsremovecomments]
REGEX = ^Timestamp
DEST_KEY = queue
FORMAT = nullQueue

0 Karma

Path Finder

Anyone ???

0 Karma

Path Finder

I agree, that Splunk Add-On only goes to 2012 and the world has moved on. It would be nice to be able to get SP 2016 logs into Splunk.

0 Karma

Engager

It would be really beneficial to a lot of people to provide support for the on prem version SharePoint 2016 as not everyone is willing/ready to use the cloud version.

0 Karma