- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: How to configure the checkpoint value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I selected audit event from orion.auditingevents. Then I have follow questions.
- How to configure the checkpoint value in solarwinds query? Because there are too many duplicated events.
- If not possible can i use Splunk DB Connect for Solarwinds base? (table: Orion.AuditingEvents)
- Audit log time (orion.auditingevents.timeloggedutc) is not equal to indexed time. How can I set audit log time to index time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Answer? I have resolved.
My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User **\** logged in from *****.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "\***** logged in from *****.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "\*****", "NetObjectID": null}
- I have changed my sql like this:
SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents WHERE TimeLoggedUtc > AddMinute(-10,GETUTCDATE()) order by TimeLoggedUtc DESC
- I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done [solarwinds:generic] TIME_PREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No Answer? I have resolved.
My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User **\** logged in from *****.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "\***** logged in from *****.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "\*****", "NetObjectID": null}
- I have changed my sql like this:
SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents WHERE TimeLoggedUtc > AddMinute(-10,GETUTCDATE()) order by TimeLoggedUtc DESC
- I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done [solarwinds:generic] TIME_PREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
