All Apps and Add-ons

Splunk App for Microsoft SharePoint: Sites missing in SPSite Lookup


Hi all,

I realize this app is no longer officially supported, but I'm hoping someone can help shed some light on an issue I'm having.
I've set up the SharePoint App and TA in a Splunk Enterprise environment (Splunk: 6.4.2; SharePoint: 2010), following the guide in the "Details" section of the app, as well as applying the fixes discussed in other topics in this forum and the "Issues" tab of the app's github repo. As far as I can tell, the app is running correctly.
Note: One thing I did not do, per the guide's recommendations, is include the "cs-host" field in the IIS logs. That was a design choice by our SharePoint administrators. I don't believe it impacts my issue, but I figured I should mention it anyway.

Unfortunately, when I look at the collection of sites in SPSite.csv, the number of sites for which I have a proper entry is significantly smaller than the number of sites that should exist. I can confirm this by looking at the "mssharepoint-audit" events pulled in by the app, which shows logs for about 135 unique Site IDs in the past 24 hours. However, the SPSite.csv list only contains entries for 7 sites!
I know very little about SharePoint and have been working with our SP admins to figure out why this is happening, but none of us can figure it out. All they can tell me is that the 7 sites we're getting data for are basically unused. This is confirmed by the fact that the audit logs and IIS logs only show service accounts for SharePoint touching the sites; No regular users.

In testing, I had a similar issue but was still able to get inventory entries for most of the active sites. In production, I don't get any of them. As far as I can tell, permissions are set correctly (again, following the guide on Splunkbase; I have no knowledge of how different our SharePoint farm is from the app developer's, and my SP admins are unaware of any difference in permissions between sites). The only lead I have is an error message in the splunkd.log file that seems to appear multiple times a second, every second, which reads:

Unable to get user by Id -1: Microsoft.SharePoint.SPException Microsoft.SharePoint.SPException: User cannot be found.
    at Microsoft.SharePoint.SPUserCollection.GetByID(Int32 id)
    at Splunk.SharePoint2010.Audit.SplunkAuditEntry.get_UserName()

Unfortunately, I have no idea what to do with this error. Any help on this issue would be greatly appreciated.


I don't really consider this to be a suitable answer, but I figured I would share this anyway in case someone ends up having the same problem. I was able to make two PowerShell commands that can be used to generate an SPSite.csv file manually that contains probably all of the relevant fields to make the app useful. Note: This workaround may be the victim of "over-engineering".

This first command needs to be run on a SharePoint server as a farm administrator user (access to the SP database):

Get-SPSite -Limit All | Export-CSV -NoTypeInformation SPSite-Export.csv

This second command can be run on that export to reformat it into one used by the SharePoint app. Note that a number of static values are being populated here, like the FarmId (which I blanked out in my example). You would need to update these fields to match your environment. Some of them I just had to guess on.

Import-CSV .\spsite-export.csv | Select @{Name="FarmId";Expression={'YOUR-UNIQUE-FARM-GUID'}},Id,_time,@{Name="Action";Expression={'Add'}},Url,AdministrationSiteType,AllowDesigner,AllowMasterPageEditing,AllowRevertFromTemplate,AllowRssFeeds,AllowUnsafeUpdates,AuditFlags,UseAuditFlagCache,EffectiveAuditMask,AuditLogTrimmingCallout,@{Name="AuditLogTrimmingRetention";Expression={'0'}},@{Name="AverageResourceUsage";Expression={'0'}},BrowserDocumentsEnabled,CatchAccessDeniedException,@{Name="CertificationDate";Expression={Get-Date -date $_.CertificationDate -Format u}},ContentDatabaseId,CurrentResourceUsage,DeadWebNotificationCount,HostHeaderIsSiteName,HostName,IISAllowsAnonymous,Impersonating,@{Name="LastContentModifiedDate";Expression={Get-Date -date $_.LastContentModifiedDate -Format u}},@{Name="LastSecurityModifiedDate";Expression={Get-Date -date $_.LastSecurityModifiedDate -Format u}},LockIssue,Port,PortalName,PortalUrl,Protocol,QuotaID,InvitedUserMaximumLevel,StorageMaximumLevel,StorageWarningLevel,@{Name="UserCodeMaximumLevel";Expression={'0'}},@{Name="UserCodeWarningLevel";Expression={'0'}},ReadLocked,ReadOnly,ResourceQuotaExceeded,ResourceQuotaExceededNotificationSent,ResourceQuotaWarningNotificationSent,RootWebId,ServerRelativeUrl,ShowURLStructure,SystemAccount,SyndicationEnabled,TrimAuditLog,UIVersionConfigurationEnabled,Bandwidth,DiscussionStorage,Hits,Storage,Visits,UserAccountDirectoryPath,UserCodeEnabled,UserDefinedWorkflowsEnabled,WebApplicationId,WriteLocked,Zone,Owner,SecondaryContact | Export-CSV -NoTypeInformation SPSite.csv
0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...