Solved: PingFederate does not set eventtype correctly for ...

tomaszpiekos · ‎06-30-2017

Hi,

I have a weird thing in my splunk.

query one :

index=index1 eventtype="*.sso.*" saml.host1.domain.local

result -> 3 events

query two:

index=index1 saml.host1.domain.local.

result -> 6 events.

All 6 events match eventtype :

[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"

But just some of them have eventtype=idp.sso.success.

Somehow source=*audit.log makes mess here... Despite it is the same for all these logs it does not match idp.sso.success search.
Moreover all these events come form one file and just for half of them eventtype=idp.sso.success.

Could anybody help ?

Splunk version is 6.5.2.

Thanks

tomaszpiekos · ‎07-11-2017

solved by changing :
[idp.sso.success]
search = source=audit.log event="SSO" AND role="IdP" AND status="success"
to
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"

No clue why but sometimes source had a whitespace at the end added by splunk.

View solution in original post

tomaszpiekos · ‎07-11-2017

solved by changing :
[idp.sso.success]
search = source=audit.log event="SSO" AND role="IdP" AND status="success"
to
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"

No clue why but sometimes source had a whitespace at the end added by splunk.

tomaszpiekos · ‎07-11-2017

should be : search = source=*audit.log*

amksa · ‎01-29-2020

Thanks tomaszpiekos , that is the exactly what I did "audit.log* and it worked!

PingFederate does not set eventtype correctly for logs

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...