All Apps and Add-ons

Splunk App for Microsoft SharePoint: How to properly configure and set up?

Explorer

Hello,

First of all, the lookup table rebuilder within the Sharepoint App on Splunk stops at Lookup - 'SPWeb' and I have an error in my messages:

Unable to initialize modular input 'sp13inventory' defined inside the app 'TA_Microsoft-Sharepoint'.  Unable to locate suitable script for introspection.

On a restart of Splunk on the Indexer as well, I am getting an error:

while parsing '/opt/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage/usage_sites.xml': not well-formed (invalid token): Line 39, column 62.  

Basically, my Sharepoint setup needs a little help - and I'm not sure where to look first. SQL and Powershell apps are installed and GPOs setup. Also - I've put an inputs.conf file within the Sharepoint app on the Sharepoint server, but do I need an index.conf file on my indexer specifically for Sharepoint - and what should this contain?

Thanks for any help!! 🙂

Path Finder

Hi robnewman666,

The reason the SPWeb rebuilder stop there is because there's a mistake in the SPL.

If you have enough permission to access the configuration files, navigate to /$SPLUNK_HOME/etc/apps/Splunk_for_Sharepoint/local to create or modify the savedsearches.conf. Look for the stanza [Lookup - SPWeb] and paste the following:

search = eventtype=mssharepoint-inventory Type="Web" | stats latest(_time) as _time, latest(Action) as Action, latest(Title) as Title, latest(SiteId) as SiteId, latest(AllowAnonymousAccess) as AllowAnonymousAccess, latest(AllowAutomaticASPXPageIndexing) as AllowAutomaticASPXPageIndexing, latest(AllowRssFeeds) as AllowRssFeeds, latest(AllowUnsafeUpdates) as AllowUnsafeUpdates, latest(AllWebTemplatesAllowed) as AllWebTemplatesAllowed, latest(AlternateCssUrl) as AlternateCssUrl, latest(AlternateHeader) as AlternateHeader, latest(ASPXPageIndexer) as ASPXPageIndexer, latest(ASPXPageIndexMode) as ASPXPageIndexMode, latest(AuditFlags) as AuditFlags, latest(UseAuditFlagCache) as UseAuditFlagCache, latest(EffectiveAuditMask) as EffectiveAuditMask, latest(AuthenticationMode) as AuthenticationMode, latest(Author) as Author, latest(ClientTag) as ClientTag, latest(Configuration) as Configuration, latest(Created) as Created, latest(CurrencyLocaleID) as CurrencyLocaleID, latest(CustomJavaScriptFileUrl) as CustomJavaScriptFileUrl, latest(CustomMasterUrl) as CustomMasterUrl, latest(CustomUploadPage) as CustomUploadPage, latest(EffectivePresenceEnabled) as EffectivePresenceEnabled, latest(EmailInsertsEnabled) as EmailInsertsEnabled, latest(EventHandlersEnabled) as EventHandlersEnabled, latest(ExecuteUrl) as ExecuteUrl, latest(Exists) as Exists, latest(HasExternalSecurityProvider) as HasExternalSecurityProvider, latest(HasUniquePerm) as HasUniquePerm, latest(HasUniqueRoleAssignments) as HasUniqueRoleAssignments, latest(HasUniqueRoleDefinitions) as HasUniqueRoleDefinitions, latest(IncludeSupportingFolders) as IncludeSupportingFolders, latest(IsADAccountCreationMode) as IsADAccountCreationMode, latest(IsADEmailEnabled) as IsADEmailEnabled, latest(IsMultilingual) as IsMultilingual, latest(IsRootWeb) as IsRootWeb, latest(Language) as Language, latest(LastItemModifiedDate) as LastItemModifiedDate, latest(Locale) as Locale, latest(MasterPageReferenceEnabled) as MasterPageReferenceEnabled, latest(MasterUrl) as MasterUrl, latest(NoCrawl) as NoCrawl, latest(OverwriteTranslationsOnChange) as OverwriteTranslationsOnChange, latest(ParentWeb) as ParentWeb, latest(ParserEnabled) as ParserEnabled, latest(PortalMember) as PortalMember, latest(PortalName) as PortalName, latest(PortalSubscriptionUrl) as PortalSubscriptionUrl, latest(PortalUrl) as PortalUrl, latest(PresenceEnabled) as PresenceEnabled, latest(Provisioned) as Provisioned, latest(PublicFolderRootUrl) as PublicFolderRootUrl, latest(QuickLaunchEnabled) as QuickLaunchEnabled, latest(RecycleBinEnabled) as RecycleBinEnabled, latest(RequestAccessEmail) as RequestAccessEmail, latest(RequestAccessEnabled) as RequestAccessEnabled, latest(RootFolder) as RootFolder, latest(ServerRelativeUrl) as ServerRelativeUrl, latest(SiteLogoUrl) as SiteLogoUrl, latest(SyndicationEnabled) as SyndicationEnabled, latest(Theme) as Theme, latest(ThemeCssUrl) as ThemeCssUrl, latest(ThemeCssFolderUrl) as ThemeCssFolderUrl, latest(TreeViewEnabled) as TreeViewEnabled, latest(UIVersion) as UIVersion, latest(UIVersionConfigurationEnabled) as UIVersionConfigurationEnabled, latest(WebTemplate) as WebTemplate, latest(WebTemplateId) as WebTemplateId by FarmId,Id | where Action != "Delete" | outputlookup SPWeb

The error is due to an extra latest(Title) as Title in the stats command.

However, this does not solve the SP13inventory issue still unfortunately...

Regards,
Benjamin

0 Karma

Splunk Employee
Splunk Employee

Hi robnewman666,

If you are not sure where to look first, as a start, please make sure you have followed the instructions in the URL below to correctly set up the SharePoint add-on:
https://splunkbase.splunk.com/app/1908/#/details

Hope it helps. Thanks!
Hunter

0 Karma

Path Finder

Hi hunters,

The instructions on the app page does not provide much help in troubleshooting this issue to be honest, my team and I have been tracking this questions for half a year now.

Did you manage to configure it to work properly on your end? It would be a great help if you could share your experience in this SharePoint App and Add-On!

Looking forward to hear back from you! 😄

Regards,
Ben

0 Karma

Explorer

Thanks for all the answers so far. I'm in the process of re-building my Sharepoint server, so once its rebuilt, I will try the (Splunk forwarder setup) process again. Once I do and if it's successful, I will post my results here.

0 Karma

Explorer

Have you tested your setup on sharepoint if so please provide your inputs.

Is it possible to pull shared documents xl file from sharepoint portal ?

0 Karma