All Apps and Add-ons

Splunk App for Microsoft SharePoint: How to properly configure and set up?

robnewman666
Path Finder

Hello,

First of all, the lookup table rebuilder within the Sharepoint App on Splunk stops at Lookup - 'SPWeb' and I have an error in my messages:

Unable to initialize modular input 'sp13inventory' defined inside the app 'TA_Microsoft-Sharepoint'.  Unable to locate suitable script for introspection.

On a restart of Splunk on the Indexer as well, I am getting an error:

while parsing '/opt/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage/usage_sites.xml': not well-formed (invalid token): Line 39, column 62.  

Basically, my Sharepoint setup needs a little help - and I'm not sure where to look first. SQL and Powershell apps are installed and GPOs setup. Also - I've put an inputs.conf file within the Sharepoint app on the Sharepoint server, but do I need an index.conf file on my indexer specifically for Sharepoint - and what should this contain?

Thanks for any help!! 🙂

SplunkDash
Motivator

@robnewman666 

A new TA "Add-on for SharePoint API with AWS Integration" has been released @

Add-on for SharePoint API with AWS Integration | Splunkbase

 

0 Karma

BenTan
Path Finder

Hi robnewman666,

The reason the SPWeb rebuilder stop there is because there's a mistake in the SPL.

If you have enough permission to access the configuration files, navigate to /$SPLUNK_HOME/etc/apps/Splunk_for_Sharepoint/local to create or modify the savedsearches.conf. Look for the stanza [Lookup - SPWeb] and paste the following:

search = eventtype=mssharepoint-inventory Type="Web" | stats latest(_time) as _time, latest(Action) as Action, latest(Title) as Title, latest(SiteId) as SiteId, latest(AllowAnonymousAccess) as AllowAnonymousAccess, latest(AllowAutomaticASPXPageIndexing) as AllowAutomaticASPXPageIndexing, latest(AllowRssFeeds) as AllowRssFeeds, latest(AllowUnsafeUpdates) as AllowUnsafeUpdates, latest(AllWebTemplatesAllowed) as AllWebTemplatesAllowed, latest(AlternateCssUrl) as AlternateCssUrl, latest(AlternateHeader) as AlternateHeader, latest(ASPXPageIndexer) as ASPXPageIndexer, latest(ASPXPageIndexMode) as ASPXPageIndexMode, latest(AuditFlags) as AuditFlags, latest(UseAuditFlagCache) as UseAuditFlagCache, latest(EffectiveAuditMask) as EffectiveAuditMask, latest(AuthenticationMode) as AuthenticationMode, latest(Author) as Author, latest(ClientTag) as ClientTag, latest(Configuration) as Configuration, latest(Created) as Created, latest(CurrencyLocaleID) as CurrencyLocaleID, latest(CustomJavaScriptFileUrl) as CustomJavaScriptFileUrl, latest(CustomMasterUrl) as CustomMasterUrl, latest(CustomUploadPage) as CustomUploadPage, latest(EffectivePresenceEnabled) as EffectivePresenceEnabled, latest(EmailInsertsEnabled) as EmailInsertsEnabled, latest(EventHandlersEnabled) as EventHandlersEnabled, latest(ExecuteUrl) as ExecuteUrl, latest(Exists) as Exists, latest(HasExternalSecurityProvider) as HasExternalSecurityProvider, latest(HasUniquePerm) as HasUniquePerm, latest(HasUniqueRoleAssignments) as HasUniqueRoleAssignments, latest(HasUniqueRoleDefinitions) as HasUniqueRoleDefinitions, latest(IncludeSupportingFolders) as IncludeSupportingFolders, latest(IsADAccountCreationMode) as IsADAccountCreationMode, latest(IsADEmailEnabled) as IsADEmailEnabled, latest(IsMultilingual) as IsMultilingual, latest(IsRootWeb) as IsRootWeb, latest(Language) as Language, latest(LastItemModifiedDate) as LastItemModifiedDate, latest(Locale) as Locale, latest(MasterPageReferenceEnabled) as MasterPageReferenceEnabled, latest(MasterUrl) as MasterUrl, latest(NoCrawl) as NoCrawl, latest(OverwriteTranslationsOnChange) as OverwriteTranslationsOnChange, latest(ParentWeb) as ParentWeb, latest(ParserEnabled) as ParserEnabled, latest(PortalMember) as PortalMember, latest(PortalName) as PortalName, latest(PortalSubscriptionUrl) as PortalSubscriptionUrl, latest(PortalUrl) as PortalUrl, latest(PresenceEnabled) as PresenceEnabled, latest(Provisioned) as Provisioned, latest(PublicFolderRootUrl) as PublicFolderRootUrl, latest(QuickLaunchEnabled) as QuickLaunchEnabled, latest(RecycleBinEnabled) as RecycleBinEnabled, latest(RequestAccessEmail) as RequestAccessEmail, latest(RequestAccessEnabled) as RequestAccessEnabled, latest(RootFolder) as RootFolder, latest(ServerRelativeUrl) as ServerRelativeUrl, latest(SiteLogoUrl) as SiteLogoUrl, latest(SyndicationEnabled) as SyndicationEnabled, latest(Theme) as Theme, latest(ThemeCssUrl) as ThemeCssUrl, latest(ThemeCssFolderUrl) as ThemeCssFolderUrl, latest(TreeViewEnabled) as TreeViewEnabled, latest(UIVersion) as UIVersion, latest(UIVersionConfigurationEnabled) as UIVersionConfigurationEnabled, latest(WebTemplate) as WebTemplate, latest(WebTemplateId) as WebTemplateId by FarmId,Id | where Action != "Delete" | outputlookup SPWeb

The error is due to an extra latest(Title) as Title in the stats command.

However, this does not solve the SP13inventory issue still unfortunately...

Regards,
Benjamin

0 Karma

hunters_splunk
Splunk Employee
Splunk Employee

Hi robnewman666,

If you are not sure where to look first, as a start, please make sure you have followed the instructions in the URL below to correctly set up the SharePoint add-on:
https://splunkbase.splunk.com/app/1908/#/details

Hope it helps. Thanks!
Hunter

0 Karma

BenTan
Path Finder

Hi hunters,

The instructions on the app page does not provide much help in troubleshooting this issue to be honest, my team and I have been tracking this questions for half a year now.

Did you manage to configure it to work properly on your end? It would be a great help if you could share your experience in this SharePoint App and Add-On!

Looking forward to hear back from you! 😄

Regards,
Ben

0 Karma

robnewman666
Path Finder

Thanks for all the answers so far. I'm in the process of re-building my Sharepoint server, so once its rebuilt, I will try the (Splunk forwarder setup) process again. Once I do and if it's successful, I will post my results here.

0 Karma

naliniasb
Explorer

Have you tested your setup on sharepoint if so please provide your inputs.

Is it possible to pull shared documents xl file from sharepoint portal ?

0 Karma

jamesjarrett
Path Finder

So its funny, Here we are in 2020 and people are still using Sharepoint 2016 instead of o365 flavor. I'm not sure why Splunk deemed the '16 version no longer relevant.

At one point there as a TA_sharepoint somewhere (either Splunkbase or Github). Github has an app for Sharepoint but thats it. Their history even notates that they removed everything from the app to split it into an TA /app solution. I could go back in the past to recover it but at least right now I feel like the answer for the data I need is probably going to be much simpler ( not sure yet, just getting to the ingest phase...) 

Any luck with this? i see your question is from September.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...