First of all, the lookup table rebuilder within the Sharepoint App on Splunk stops at
Lookup - 'SPWeb' and I have an error in my messages:
Unable to initialize modular input 'sp13inventory' defined inside the app 'TA_Microsoft-Sharepoint'. Unable to locate suitable script for introspection.
On a restart of Splunk on the Indexer as well, I am getting an error:
while parsing '/opt/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage/usage_sites.xml': not well-formed (invalid token): Line 39, column 62.
Basically, my Sharepoint setup needs a little help - and I'm not sure where to look first. SQL and Powershell apps are installed and GPOs setup. Also - I've put an inputs.conf file within the Sharepoint app on the Sharepoint server, but do I need an index.conf file on my indexer specifically for Sharepoint - and what should this contain?
Thanks for any help!! 🙂
The reason the SPWeb rebuilder stop there is because there's a mistake in the SPL.
If you have enough permission to access the configuration files, navigate to /$SPLUNK_HOME/etc/apps/Splunk_for_Sharepoint/local to create or modify the savedsearches.conf. Look for the stanza [Lookup - SPWeb] and paste the following:
The error is due to an extra latest(Title) as Title in the stats command.
However, this does not solve the SP13inventory issue still unfortunately...
If you are not sure where to look first, as a start, please make sure you have followed the instructions in the URL below to correctly set up the SharePoint add-on:
Hope it helps. Thanks!
The instructions on the app page does not provide much help in troubleshooting this issue to be honest, my team and I have been tracking this questions for half a year now.
Did you manage to configure it to work properly on your end? It would be a great help if you could share your experience in this SharePoint App and Add-On!
Looking forward to hear back from you! 😄
Thanks for all the answers so far. I'm in the process of re-building my Sharepoint server, so once its rebuilt, I will try the (Splunk forwarder setup) process again. Once I do and if it's successful, I will post my results here.
So its funny, Here we are in 2020 and people are still using Sharepoint 2016 instead of o365 flavor. I'm not sure why Splunk deemed the '16 version no longer relevant.
At one point there as a TA_sharepoint somewhere (either Splunkbase or Github). Github has an app for Sharepoint but thats it. Their history even notates that they removed everything from the app to split it into an TA /app solution. I could go back in the past to recover it but at least right now I feel like the answer for the data I need is probably going to be much simpler ( not sure yet, just getting to the ingest phase...)
Any luck with this? i see your question is from September.