Solved: Re: PingFederate does not set eventtype correctly ...

tomaszpiekos · ‎06-30-2017

Hi,

I have a weird thing in my splunk.

query one :

index=index1 eventtype="*.sso.*" saml.host1.domain.local

result -> 3 events

query two:

index=index1 saml.host1.domain.local.

result -> 6 events.

All 6 events match eventtype :

[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"

But just some of them have eventtype=idp.sso.success.

Somehow source=*audit.log makes mess here... Despite it is the same for all these logs it does not match idp.sso.success search.
Moreover all these events come form one file and just for half of them eventtype=idp.sso.success.

Could anybody help ?

Splunk version is 6.5.2.

Thanks

tomaszpiekos · ‎07-11-2017

solved by changing :
[idp.sso.success]
search = source=audit.log event="SSO" AND role="IdP" AND status="success"
to
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"

No clue why but sometimes source had a whitespace at the end added by splunk.

View solution in original post

tomaszpiekos · ‎07-11-2017

solved by changing :
[idp.sso.success]
search = source=audit.log event="SSO" AND role="IdP" AND status="success"
to
[idp.sso.success]
search = source=*audit.log event="SSO" AND role="IdP" AND status="success"

No clue why but sometimes source had a whitespace at the end added by splunk.

tomaszpiekos · ‎07-11-2017

should be : search = source=*audit.log*

amksa · ‎01-29-2020

Thanks tomaszpiekos , that is the exactly what I did "audit.log* and it worked!

PingFederate does not set eventtype correctly for logs

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms