All Apps and Add-ons
Highlighted

Splunk App for Microsoft SharePoint: How to properly configure and set up?

Explorer

Hello,

First of all, the lookup table rebuilder within the Sharepoint App on Splunk stops at Lookup - 'SPWeb' and I have an error in my messages:

Unable to initialize modular input 'sp13inventory' defined inside the app 'TA_Microsoft-Sharepoint'.  Unable to locate suitable script for introspection.

On a restart of Splunk on the Indexer as well, I am getting an error:

while parsing '/opt/etc/apps/Splunk_for_Sharepoint/default/data/ui/views/usage/usage_sites.xml': not well-formed (invalid token): Line 39, column 62.  

Basically, my Sharepoint setup needs a little help - and I'm not sure where to look first. SQL and Powershell apps are installed and GPOs setup. Also - I've put an inputs.conf file within the Sharepoint app on the Sharepoint server, but do I need an index.conf file on my indexer specifically for Sharepoint - and what should this contain?

Thanks for any help!! 🙂

Highlighted

Re: Splunk App for Microsoft SharePoint: How to properly configure and set up?

Hi robnewman666,

If you are not sure where to look first, as a start, please make sure you have followed the instructions in the URL below to correctly set up the SharePoint add-on:
https://splunkbase.splunk.com/app/1908/#/details

Hope it helps. Thanks!
Hunter

0 Karma
Highlighted

Re: Splunk App for Microsoft SharePoint: How to properly configure and set up?

Path Finder

Hi hunters,

The instructions on the app page does not provide much help in troubleshooting this issue to be honest, my team and I have been tracking this questions for half a year now.

Did you manage to configure it to work properly on your end? It would be a great help if you could share your experience in this SharePoint App and Add-On!

Looking forward to hear back from you! 😄

Regards,
Ben

0 Karma
Highlighted

Re: Splunk App for Microsoft SharePoint: How to properly configure and set up?

Explorer

Thanks for all the answers so far. I'm in the process of re-building my Sharepoint server, so once its rebuilt, I will try the (Splunk forwarder setup) process again. Once I do and if it's successful, I will post my results here.

0 Karma
Highlighted

Re: Splunk App for Microsoft SharePoint: How to properly configure and set up?

Path Finder

Hi robnewman666,

The reason the SPWeb rebuilder stop there is because there's a mistake in the SPL.

If you have enough permission to access the configuration files, navigate to /$SPLUNKHOME/etc/apps/Splunkfor_Sharepoint/local to create or modify the savedsearches.conf. Look for the stanza [Lookup - SPWeb] and paste the following:

search = eventtype=mssharepoint-inventory Type="Web" | stats latest(_time) as _time, latest(Action) as Action, latest(Title) as Title, latest(SiteId) as SiteId, latest(AllowAnonymousAccess) as AllowAnonymousAccess, latest(AllowAutomaticASPXPageIndexing) as AllowAutomaticASPXPageIndexing, latest(AllowRssFeeds) as AllowRssFeeds, latest(AllowUnsafeUpdates) as AllowUnsafeUpdates, latest(AllWebTemplatesAllowed) as AllWebTemplatesAllowed, latest(AlternateCssUrl) as AlternateCssUrl, latest(AlternateHeader) as AlternateHeader, latest(ASPXPageIndexer) as ASPXPageIndexer, latest(ASPXPageIndexMode) as ASPXPageIndexMode, latest(AuditFlags) as AuditFlags, latest(UseAuditFlagCache) as UseAuditFlagCache, latest(EffectiveAuditMask) as EffectiveAuditMask, latest(AuthenticationMode) as AuthenticationMode, latest(Author) as Author, latest(ClientTag) as ClientTag, latest(Configuration) as Configuration, latest(Created) as Created, latest(CurrencyLocaleID) as CurrencyLocaleID, latest(CustomJavaScriptFileUrl) as CustomJavaScriptFileUrl, latest(CustomMasterUrl) as CustomMasterUrl, latest(CustomUploadPage) as CustomUploadPage, latest(EffectivePresenceEnabled) as EffectivePresenceEnabled, latest(EmailInsertsEnabled) as EmailInsertsEnabled, latest(EventHandlersEnabled) as EventHandlersEnabled, latest(ExecuteUrl) as ExecuteUrl, latest(Exists) as Exists, latest(HasExternalSecurityProvider) as HasExternalSecurityProvider, latest(HasUniquePerm) as HasUniquePerm, latest(HasUniqueRoleAssignments) as HasUniqueRoleAssignments, latest(HasUniqueRoleDefinitions) as HasUniqueRoleDefinitions, latest(IncludeSupportingFolders) as IncludeSupportingFolders, latest(IsADAccountCreationMode) as IsADAccountCreationMode, latest(IsADEmailEnabled) as IsADEmailEnabled, latest(IsMultilingual) as IsMultilingual, latest(IsRootWeb) as IsRootWeb, latest(Language) as Language, latest(LastItemModifiedDate) as LastItemModifiedDate, latest(Locale) as Locale, latest(MasterPageReferenceEnabled) as MasterPageReferenceEnabled, latest(MasterUrl) as MasterUrl, latest(NoCrawl) as NoCrawl, latest(OverwriteTranslationsOnChange) as OverwriteTranslationsOnChange, latest(ParentWeb) as ParentWeb, latest(ParserEnabled) as ParserEnabled, latest(PortalMember) as PortalMember, latest(PortalName) as PortalName, latest(PortalSubscriptionUrl) as PortalSubscriptionUrl, latest(PortalUrl) as PortalUrl, latest(PresenceEnabled) as PresenceEnabled, latest(Provisioned) as Provisioned, latest(PublicFolderRootUrl) as PublicFolderRootUrl, latest(QuickLaunchEnabled) as QuickLaunchEnabled, latest(RecycleBinEnabled) as RecycleBinEnabled, latest(RequestAccessEmail) as RequestAccessEmail, latest(RequestAccessEnabled) as RequestAccessEnabled, latest(RootFolder) as RootFolder, latest(ServerRelativeUrl) as ServerRelativeUrl, latest(SiteLogoUrl) as SiteLogoUrl, latest(SyndicationEnabled) as SyndicationEnabled, latest(Theme) as Theme, latest(ThemeCssUrl) as ThemeCssUrl, latest(ThemeCssFolderUrl) as ThemeCssFolderUrl, latest(TreeViewEnabled) as TreeViewEnabled, latest(UIVersion) as UIVersion, latest(UIVersionConfigurationEnabled) as UIVersionConfigurationEnabled, latest(WebTemplate) as WebTemplate, latest(WebTemplateId) as WebTemplateId by FarmId,Id | where Action != "Delete" | outputlookup SPWeb

The error is due to an extra latest(Title) as Title in the stats command.

However, this does not solve the SP13inventory issue still unfortunately...

Regards,
Benjamin

0 Karma