Hi,
I have a weird thing in my splunk.
query one :
index=index1 eventtype="*.sso.*" saml.host1.domain.local
result -> 3 events
query two:
index=index1 saml.host1.domain.local.
result -> 6 events.
All 6 events match eventtype :
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"
But just some of them have eventtype=idp.sso.success
.
Somehow source=*audit.log
makes mess here... Despite it is the same for all these logs it does not match idp.sso.success
search.
Moreover all these events come form one file and just for half of them eventtype=idp.sso.success
.
Could anybody help ?
Splunk version is 6.5.2.
Thanks
solved by changing :
[idp.sso.success]
search = source=audit.log event="SSO" AND role="IdP" AND status="success"
to
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"
No clue why but sometimes source had a whitespace at the end added by splunk.
solved by changing :
[idp.sso.success]
search = source=audit.log event="SSO" AND role="IdP" AND status="success"
to
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"
No clue why but sometimes source had a whitespace at the end added by splunk.
should be : search = source=*audit.log*
Thanks tomaszpiekos , that is the exactly what I did "audit.log* and it worked!