Splunk Search

Issues with OMS Query Filters

blangrill
Explorer

Use case: I want to pull a specific set of security events from OMS into Splunk. Within OMS log search, querying for:

SecurityBaseline

gives me all events from the set, and filtering for the events I want is:

SecurityBaseline | AnalyzeResult=="Failed"

No issues.

In Splunk OMS inputs, setting my "OMS Query" to the first one does indeed work and start pulling events from that set (it is huge). However, if I change it to the latter with the filter no events are pulled and the following error show up in the oms app log:

tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\ta_oms_inputs\modinput_wrapper\base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py", line 96, in collect_events
    input_module.collect_events(self, ew)
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\input_module_oms_inputs.py", line 86, in collect_events
    search_id = data["id"].split("/")

Relatively new to OMS, but I think this is probably just a syntax issue somewhere...any place for reference queries or different way I should do this?

(If it matters, I am using OMS Inputs app v 1.3.3 on Splunk Enterprise 7.0.2)

1 Solution

jkat54
SplunkTrust
SplunkTrust

Try using this article to convert the query to the “legacy”
Style that the api version this app uses will support.

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-search-transition

I think this will work

Type=SecurityBaseline AnalyzeResult=Failed

View solution in original post

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try using this article to convert the query to the “legacy”
Style that the api version this app uses will support.

https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-log-search-transition

I think this will work

Type=SecurityBaseline AnalyzeResult=Failed

0 Karma

blangrill
Explorer

This was the trick. Thank you!

jkat54
SplunkTrust
SplunkTrust

@david_panych @maciep

You might be interested in this link we found too

jkat54
SplunkTrust
SplunkTrust

@dpanych

sorry @david for multiple tags. See you at the next UG meeting maybe, checking flights now

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hey, I’m the author of the app. I’m new to OMS too. I just grabbed a python script that was on MS azure docs website and wrapped it into a modular inputs app. Since then, they have added a new loganalytics API and they recently sent out communications that they plan to shut down the old API. So I’m in process of developing a new version of the app to work with the newer API. They also changed the OMS query language once or twice along the way. So, it gets complicated making this app work.

Still I will do what I can to help. We might just need to jump on a webex to figure it out though.

First thought is, what happens if you “escape” the pipe in the query?

SecurityBaseline | AnalyzeResult=="Failed"

Also it looks like there may have been more to the error message you found. Can you see if there’s more? Looks like the stack trace ends before the actual error is displayed.

0 Karma

blangrill
Explorer

I definitely appreciate the effort. If there are upcoming changes to the way data is pulled this probably doesn't matter too much.

I tried escaping the pipe and the quotes and always got the same error. Yes that is it in full above from the splunk GUI. Here is the lines directly from the oms_inputs.log file:

2018-06-27 16:46:12,069 ERROR pid=4584 tid=MainThread file=base_modinput.py:log_error:307 | Get error when collecting events.
Traceback (most recent call last):
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\ta_oms_inputs\modinput_wrapper\base_modinput.py", line 127, in stream_events
    self.collect_events(ew)
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\oms_inputs.py", line 96, in collect_events
    input_module.collect_events(self, ew)
  File "E:\splunk\etc\apps\TA-OMS_Inputs\bin\input_module_oms_inputs.py", line 86, in collect_events
    search_id = data["id"].split("/")
KeyError: 'id'

Any idea if there is a way to see the query as submitted to OMS using the correlation_id? My OMS guy wasn't aware of one.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Yes on the correlationid but it’s in azure audit logs iirc. However it’s more to the tune of “this GET request was made using this account”. Nothing diagnostic / debugish to my knowledge. I very well could be wrong though.

Is there anything happening in index=_internal sourcetype=splunk_python ?

If not, I’m happy to spend an hour or so on webex to help. Just needs to be next week and after 5pm eastern if possible. Or before 9am. Can’t work on it when I’m obligated to other tasks.

Send me an email and we’ll work it out: mbentley rtptech.com. @ removed to prevent spam.

0 Karma

jkat54
SplunkTrust
SplunkTrust

index=_internal sourcetype=splunk_python OR (sourcetype=splunkd AND oms_inputs.py)

Here’s the best search for debugging this thing.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...