step by step guide for observeit splunk integration notes

5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.

Page1 of 10

Step By Step Guide forObserveIT and Splunk

integration

Last Saved Date March 26, 2014

Revision 1.2



Page2 of 10

1 USING SPLUNK

1. http address: http://10.2.56.71:8000/en-US/app/ObserveIT/

2. user : admin3. password: admin

4. To view User Activity Pie over time. Click on Search & reports5. Select ObserveIT-Users over time

6. You will get the following results
http://10.2.56.71:8000/en-US/app/ObserveIT/http://10.2.56.71:8000/en-US/app/ObserveIT/http://10.2.56.71:8000/en-US/app/ObserveIT/



Page3 of 10

7. If you move the mouse over the pie, you will see the statistical data of the users activity



Page4 of 10

8. If you click on the users pie , you will geta new IE window with the list of meta data details of t

user

9. Copy the HTTP video link and paste it into your Internet Explorer address

10.Make sure that your machine recognizes OITHostedDemo-S as 184.106.234.18111.It can be done by modifying file: C:\Windows\System32\drivers\etc\hosts

12.Add the following line to the end of the file and save it

184.106.234.181 oithosteddemo-s



Page5 of 10

13.If NOT, then change OITHostedDemo-S to 184.106.234.181http://OITHostedDemo-S:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-

ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=en

14.You will need to provide ObserveIT user /password to see the video

15.The following report is also available from Search & Reports: ObserveIT-Server Usage (Top Values)

16.Application Over Time
http://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=en



Page6 of 10

17.Click on Views->ObserveIT to see the following dashboard.18.The pies are clickable and you can click on servers, Users, Applications, Logins, and get the list

events that are related to your request.

18.end



Page7 of 10

2 CREATE OBSERVEIT INPUT LOG FILESUse the following SQL:



Page8 of 10

3 DEFINE DATA INPUT SOURCE

File: C:\Program Files\Splunk\etc\apps\ObserveIT\local\Inputs.conf

[monitor://D:\Users\ilan\Documents\ObserveIT\Splunk\LogFiles\1]

disabled = 0



Page9 of 10

4 TROUBLESHOOTING

4.1 Splunk : Delete all events

1. C:\Program Files\Splunk\bin>splunk.exe stop2. C:\Program Files\Splunk\bin>splunk.exe clean eventdata3. C:\Program Files\Splunk\bin>splunk.exe Start

4.2 Splunk : Reload events

splunk.exe stopsplunk.exe add oneshot D:\temp\LogFiles\3\Data_Query_v4.log -sourcetype ObserveITUserActivity

splunk.exe add oneshot C:\Monitor_Log_55_for_Splunk\log\Data_Query_v5.log -sourcetype ObserveITUserActivity

splunk.exe Start

Merry Christmas and happy New Year

4.3 Input.conf

Add the line in red

Restart splunk

[monitor://C:\temp\LogFiles\3]

disabled = false

followTail = 0sourcetype = ObserveIT User Activity

CHECK_FOR_HEADER=TRUE

Modify also: C:\Program Files\Splunk\etc\apps\learned\local\props.confAdd the following lines:[source::D:\temp\LogFiles\3\Data_Query_v4.log]sourcetype = ObserveIT User Activity

[ObserveIT User Activity]CHECK_FOR_HEADER = TRUE

[ObserveIT User Activity-2]KV_MODE = noneREPORT-AutoHeader = AutoHeader-1



Page10 of 10

4.4 Enable automatic header-based field extraction

Enable automatic header-based field extraction for any source or source type by editing/ create props.conf. Edit this file in

$SPLUNK_HOME/etc/system/local/ , or your own custom application directory in$SPLUNK_HOME/etc/apps//local .

Note:If you are using Splunk in a distributed environment, be sure to place the props.confand transforms.conffiles that youupdate for header-based field extraction on your search head, not the indexer.

For more information on configuration files in general, see"About configuration files"in the Admin manual.

To turn on automatic header-based field extraction for a source or source type, add CHECK_FOR_HEADER=TRUEunder that source orsource type's stanza in props.conf.

Example props.confentry for an MS Exchange source:

[source::C:\temp\LogFiles\3\Data_Query_v4.log]

sourcetype=ObserveIT User Activity

[ObserveIT User Activity]

CHECK_FOR_HEADER=TRUE

4.5 ObserveIT Application main menu

C:\Program Files\Splunk\etc\apps\ObserveIT\default\data\ui\nav\default.xml
http://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfileshttp://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfileshttp://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfileshttp://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfiles