- Find Answers
- :
- Using Splunk
- :
- Other Using Splunk
- :
- Reporting
- :
- Where or into which System Index - Does Splunk wr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All
I would like to know into which system internal index, Source - does Splunk write logs about Orphaned Searches.
I know there is a Rest API Search which can show all Orphaned Searches but I would like to see this data in Internal Indexes as I am creating Some KPI's on it.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"
If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...
Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:
index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"
If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...
Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:
index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think Splunk keeps that info in Internal Indexes. You can still create your KPIs on that matter by using the command | rest and gather the data you need.
Why do you need the data to come from the indexers if you can still access it in SPL by | rest ?
Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!
Logs to Metrics
Developer Spotlight with Paul Stout
