Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- How do I pull SharePoint logs into Splunk ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I pull SharePoint logs into Splunk ?
Hello Everyone ,
Found some of the question and answer pairs related to pulling SharePoint logs into Splunk and the visualizations which are dated back 2010-12 … Can any one please help in figuring out the following?
1)What are the basic steps that need to be done to pull SharePoint logs into the Splunk environment?
2)What type of log files are important to ingest ?
3)Any guidance related to dashboard things would be highly appreciated
Thank you all.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is the info that I am pulling into Splunk from SharePoint 2019
- perfmon
- IIS logs
- ULS logs
I am storing the IIS and ULS logs in a sharepoint index. I built out a correlation search dashboard so I don't have to use the Merge-SPLogFile cmdlet for PowerShell.
Here are the inputs.conf, props.conf and transforms.conf
IIS
[monitor://L:\inetpub\logs\LogFiles**.log]
index = sharepoint
sourcetype = iis
ignoreOlderThan = 1d
ULS
[monitor://L:\Diagnosticslog]
index = sharepoint
whitelist = .*-\d+-\d+.log$
sourcetype = MSSharePoint:2019:ULSAudit
ignoreOlderThan = 1d
PROPS.CONF
[MSSharePoint:2019:ULSAudit]
SHOULD_LINEMERGE = false
CHECK_FOR_HEADER = false
LINE_BREAKER = ([\r\n]+)\d{2}/\d{2}/\d{4}\s\d{2}:\d{2}:\d{2}.\d{2}\s
TRANSFORMS-ulscomment = uls_remove_comments
SEDCMD-cleanup = s/(...([^*]+).*?...)//g
TRANSFORMS.CONF
[uls_remove_comments]
REGEX = ^Timestamp
DEST_KEY = queue
FORMAT = nullQueue
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Anyone ???
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I agree, that Splunk Add-On only goes to 2012 and the world has moved on. It would be nice to be able to get SP 2016 logs into Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be really beneficial to a lot of people to provide support for the on prem version SharePoint 2016 as not everyone is willing/ready to use the cloud version.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
