All Apps and Add-ons
Highlighted

How to configure the checkpoint value?

Explorer

I selected audit event from orion.auditingevents. Then I have follow questions.

  1. How to configure the checkpoint value in solarwinds query? Because there are too many duplicated events.
  2. If not possible can i use Splunk DB Connect for Solarwinds base? (table: Orion.AuditingEvents)
  3. Audit log time (orion.auditingevents.timeloggedutc) is not equal to indexed time. How can I set audit log time to index time?
0 Karma
Highlighted

Re: How to configure the checkpoint value?

Explorer

No Answer? I have resolved.

My event: {"DetailsUrl": "/Orion/NetPerfMon/OrionMessages.aspx?ShowOrionMessageTypes=audit%3b", "AuditEventMessage": "User **\** logged in from *****.", "TimeLoggedUtc": "2018-03-29T01:42:32.7370000Z", "DisplayName": "\***** logged in from *****.", "NetObjectType": null, "ActionTypeID": 1, "AuditEventID": 3519, "NetworkNode": null, "AccountID": "\*****", "NetObjectID": null}

  1. I have changed my sql like this:

SELECT AuditEventID, TimeLoggedUtc, AccountID, ActionTypeID, AuditEventMessage, NetworkNode, NetObjectID, NetObjectType, DetailsUrl, DisplayName FROM Orion.AuditingEvents WHERE TimeLoggedUtc > AddMinute(-10,GETUTCDATE()) order by TimeLoggedUtc DESC

  1. I am feeling splunk does't find the time automatically. Then I configured TIMEPREFIX. Done [solarwinds:generic] TIMEPREFIX = "TimeLoggedUtc":\s" TIME_FORMAT = %Y-%m-%dT%T.%7N%Z

View solution in original post

0 Karma