Solved: Where or into which System Index - Does Splunk wr...

PowerPacked · ‎03-14-2018

Hi All

I would like to know into which system internal index, Source - does Splunk write logs about Orphaned Searches.

I know there is a Rest API Search which can show all Orphaned Searches but I would like to see this data in Internal Indexes as I am creating Some KPI's on it.

Thanks

gjanders · ‎03-16-2018

Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"

If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...

Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:

index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message 
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

gjanders · ‎03-16-2018

Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"

If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...

Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:

index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message 
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

tiagofbmm · ‎03-14-2018

I don't think Splunk keeps that info in Internal Indexes. You can still create your KPIs on that matter by using the command | rest and gather the data you need.

Why do you need the data to come from the indexers if you can still access it in SPL by | rest ?

Where or into which System Index - Does Splunk write logs about Orphaned Searches

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation