All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

User login activity - Nextcloud Addon

andresito123
Communicator
‎03-24-2020 02:56 AM

Hello all,

I am troubleshooting why "User login activity" of Nextcloud App is showing no results and by analyzing the results the dashboard query is:

sourcetype=TERM(nextcloud-log) app=admin_audit action="Login successful" user="*" userAgent!=curl* 
    | iplocation remoteAddr 
    | timechart count by user

When I dig further, I see that the "app" field value is always set to "nextcloud" and never gets the right app value from the nextcloud-log sourcetype (which are extracted from the script of the add-on). Then, I consulted the /opt/splunk/etc/apps/TA-nextcloud/default/props.conf and I see the following statement:

EVAL-app = "nextcloud"

What is the use of this statement? Is this a mistake/bug? Because I am considering overriding this value on the local directory.

0 Karma
Reply

bgraabek_splunk
Splunk Employee
Splunk Employee
‎03-24-2020 11:13 AM

Could you check which version of the add-on and which version of the app you have installed?
I think you have an older version of the app, but the latest version of the add-on.
In the latest version the query looks different.

The EVAL-app = "nextcloud" statement is not a bug or mistake, but is there to make the data CIM compatible. CIM (Common Information Model) is a data model that enables for example Splunk ES to make use of the data, and CIM makes use of a field named "app". Instead, the latest app (and add-on) renames the field name to "ncApp".

I guess the developer messed up by not making it clear when the add-on was updated that a requirement was that the app also be updated (assuming the above is the reason it isn't working for you).

0 Karma
Reply

andresito123
Communicator
‎03-25-2020 02:51 AM

Splunk Add-on for Nextcloud is at version 2.1.0 and Splunk App for Nextcloud is at version 2.6.1.

I had to manually fix some dashboards because the "app" field name, which is used on many dashboards searches, does not get the right value.

0 Karma
Reply

bgraabek_splunk
Splunk Employee
Splunk Employee
‎03-25-2020 03:22 AM

The first line of SPL for the "Login activity over time" panel in the "User login activity" dashboard in v2.6.1 of the app looks like this:
sourcetype=TERM(nextcloud-log) ncApp=admin_audit message="Login successful*" user="$userToken1$" user="$user$" url!=TERM(*/ocs/v2.php/apps/serverinfo/api/v1/info)
and not like the line you have shown in your question.

Was the dashboard that didn't work ever modified before installing the latest app? If that is the case, the modified dashboard takes precedence and the new dashboards in the latest version of the app will not be used. You could try to move the dashboards in the "local" directory to somewhere safe, then restart the Splunk server to see if the default dashboard then works.

0 Karma
Reply

andresito123
Communicator
‎03-25-2020 04:16 AM

No, in my initial question I have included information from props.conf. The -not working- "User login activity" dashboard included the string: "app=admin_audit" and not the "ncApp=admin_audit".

I will try to delete the app and install it from scratch, maybe some update wasn't deployed correctly? Don't know.

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...