Reporting

Where or into which System Index - Does Splunk write logs about Orphaned Searches

PowerPacked
Builder

Hi All

I would like to know into which system internal index, Source - does Splunk write logs about Orphaned Searches.

I know there is a Rest API Search which can show all Orphaned Searches but I would like to see this data in Internal Indexes as I am creating Some KPI's on it.

Thanks

0 Karma
1 Solution

gjanders
SplunkTrust
SplunkTrust

Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"

If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...

Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:

index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message 
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")

View solution in original post

0 Karma

gjanders
SplunkTrust
SplunkTrust

Within the Alerts For Splunk Admins application I wrote a search called "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required"

If you just want the one search refer to the savedsearches.conf in github , however there is no exact way I know of beyond the REST API of doing this, the search "SearchHeadLevel - LDAP users have been disabled or left the company cleanup required" works for my environment...

Here's the main part of the search, it's a bit complicated, I've stripped the comments in case you don't have that macro available:

index=_internal host=<yoursearchheadhosts> "Failed to get LDAP user=\"" OR "Couldn't find matching groups for user=" OR "HTTPAuthManager - SSO failed - User does not exist" sourcetype=splunkd source=*splunkd.log
| dedup message 
| rex "SSO failed - User does not exist: (?P<user>\S+)"
| stats count, values(message) AS messages, values(component), AS components values(log_level), max(_time) AS lastSeen by user, host
| where user!="undefined" AND user!="nobody" AND like(messages,"Failed to get LDAP user%") AND NOT like(messages,"SSO failed - User does not exist%")
| table user, messages, lastSeen, host
| eval lastSeen=strftime(lastSeen, "%+")
0 Karma

tiagofbmm
Influencer

I don't think Splunk keeps that info in Internal Indexes. You can still create your KPIs on that matter by using the command | rest and gather the data you need.

Why do you need the data to come from the indexers if you can still access it in SPL by | rest ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...