All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to configure the checkpoint value?

tdbank
Explorer
‎03-26-2018 04:19 AM

I selected audit event from orion.auditingevents. Then I have follow questions.

  1. How to configure the checkpoint value in solarwinds query? Because there are too many duplicated events.
  2. If not possible can i use Splunk DB Connect for Solarwinds base? (table: Orion.AuditingEvents)
  3. Audit log time (orion.auditingevents.timeloggedutc) is not equal to indexed time. How can I set audit log time to index time?
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tdbank
Explorer
‎03-28-2018 06:56 PM

No Answer? I have resolved.

My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User **\** logged in from *****.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "\***** logged in from *****.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "\*****", "NetObjectID": null}

  1. I have changed my sql like this:

SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents WHERE TimeLoggedUtc > AddMinute(-10,GETUTCDATE()) order by TimeLoggedUtc DESC

  1. I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done [solarwinds:generic] TIME_PREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

tdbank
Explorer
‎03-28-2018 06:56 PM

No Answer? I have resolved.

My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User **\** logged in from *****.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "\***** logged in from *****.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "\*****", "NetObjectID": null}

  1. I have changed my sql like this:

SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents WHERE TimeLoggedUtc > AddMinute(-10,GETUTCDATE()) order by TimeLoggedUtc DESC

  1. I am feeling splunk does't find the time automatically. Then I configured TIME_PREFIX. Done [solarwinds:generic] TIME_PREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...