Getting Data In

Tableau System Logs

splk
Communicator

Hello everybody,

i am wondering if anybody already do some Tableau System Monitoring with the Logs Tableau provided?

I was a little bit suprised not to find a App or some inputs.conf recomendations.
As far as I can see, it should be Tomcat and Apache Logs - with some redis.

Any link / tip helps.

Thank you!

nolejj
Explorer

From what I see, the vizportal_node-0.log seems to be systems/audit log containing events needed to determine event failures. The log events are not easily structured for Splunk to easily extract fields based on the display of the event information. There are lots of results within the log file without any reference to the meaning of the result. You will need to build a lot of rex commands to extract fields correctly. For example, you can test a failed login attempt and then read the log file. If you already have the vizportal_node-0.log events forwarded to Splunk, you can run a search within Splunk for your failed login attempt using _raw=ERROR. The log level of an event seems to be unique and can be extracted to a field. I was able to save the below rex command for determining the log level of Tableau logs.

(?<log_level>ERROR|INFO|EMERG|ALERT|CRIT|WARN|NOTICE|DEBUG)

If you want to test the above rex command on a report, you can use:

| rex field=_raw "(?<log_level>ERROR|INFO|EMERG|ALERT|CRIT|WARN|NOTICE|DEBUG)"

Based on the report you are building, you may need to build custom rex commands to meet your needs for the report.

 

Thanks,

Joe

0 Karma

nolejj
Explorer

Another unique field to extract is the Operation performed:

\:\s+[A-Z]+\s+(?<Operation>[*\s]+)

You can test on a report with:

| rex field=_raw "\:\s+[A-Z]+\s+(?<Operation>[*\s]+)"

You can use the operation event results to narrow down on the type events you want to search.

For the event message portion, you can use:

(?ms)([A-Z].*\s-\s+(?<Message>.*)

You can test on a report with:

| rex field=_raw "(?ms)([A-Z].*\s-\s+(?<Message>.*)"

(?ms) is used to display multiple lines of a message. Example would be Java messages.

 

Thanks,

Joe

0 Karma

nmclaughl1
Explorer

I am struggling with this too.

I did observe a few google results that indicated that errors are piped into winEventLogs, but that doesn't apply to me. And the particular objects I was instructed to monitor with inputs aren't JSON.

I looked at this, https://www.theinformationlab.co.uk/2016/02/05/tableau-server-needs-splunk-2/, but the tableau-folks had me go after their "node" logs that have ambiguous fields (to me, knowing nothing about tableau).

2 raw events I imagine the team wants to measure as a transaction, sample:

2019-05-07 10:56:44.398 -0700 (Folks Friendly Name,someUser,someRand,pupupuPuuu, heheheHee,1-couldBeToken) catalina-exec-29 vizportal: INFO  com.tableausoftware.app.vizportal.LoggingInterceptor - Request completed: /v1/getSessionInfo with status 200

2019-05-07 10:56:44.388 -0700 (Folks Friendly Name,someUser,someRand,pupupuPuuu, heheheHee,1-couldBeToken) catalina-exec-29 vizportal: INFO  com.tableausoftware.app.vizportal.LoggingInterceptor - Request received: /v1/getSessionInfo

I haven't had time to analyze their log4j properties, but so far I am doing this very brittle stick-poking to share examples for the Tableau team...

index="tableau_team"  sourcetype="tableau:vizportal" 
earliest=-1h
"Request "
| rex ":\s(?<log_level>[^\s][A-Z]{1,8})\s"
| rex "\((?<token_payload>[^\)]*)\)"
| eval fields=split(token_payload,",")
| eval tkn_1=mvindex(fields,0)
| eval tkn_2=mvindex(fields,1)
| eval tkn_3=mvindex(fields,2)
| eval tkn_4=mvindex(fields,3)
| eval tkn_5=mvindex(fields,4)
| eval tkn_6=mvindex(fields,5)
| rex "Request\s(?<request_payload>[^\$]*)"
| rex field=request_payload "(?<request_type>[^\s]\S+):"
| fillnull request_type value=req_start
| rex field=request_payload ":\s(?<request_ctx>[^\s]\S+)"
| rex field=request_payload "with\s(?<req_status_string>[^\s][\s\w]+)"
| rex field=req_status_string "status\s(?<req_status_code>[^\$][\d]{1,3})"
| table _time log_level token_payload tkn* request_payload request_type request_ctx req_status_string req_status_code _raw
| stats values(token_payload) values(req_status_code) range(_time) AS tx_duration by tkn_5 request_ctx
| chart max(tx_duration) by request_ctx
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...