step by step guide for observeit splunk integration notes
DESCRIPTION
Splunk notesTRANSCRIPT
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page1 of 10
Step By Step Guide forObserveIT and Splunk
integration
Last Saved Date March 26, 2014
Revision 1.2
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page2 of 10
1 USING SPLUNK
1. http address: http://10.2.56.71:8000/en-US/app/ObserveIT/
2. user : admin3. password: admin
4. To view User Activity Pie over time. Click on Search & reports5. Select ObserveIT-Users over time
6. You will get the following results
http://10.2.56.71:8000/en-US/app/ObserveIT/http://10.2.56.71:8000/en-US/app/ObserveIT/http://10.2.56.71:8000/en-US/app/ObserveIT/ -
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page3 of 10
7. If you move the mouse over the pie, you will see the statistical data of the users activity
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page4 of 10
8. If you click on the users pie , you will geta new IE window with the list of meta data details of t
user
9. Copy the HTTP video link and paste it into your Internet Explorer address
10.Make sure that your machine recognizes OITHostedDemo-S as 184.106.234.18111.It can be done by modifying file: C:\Windows\System32\drivers\etc\hosts
12.Add the following line to the end of the file and save it
184.106.234.181 oithosteddemo-s
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page5 of 10
13.If NOT, then change OITHostedDemo-S to 184.106.234.181http://OITHostedDemo-S:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-
ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=en
14.You will need to provide ObserveIT user /password to see the video
15.The following report is also available from Search & Reports: ObserveIT-Server Usage (Top Values)
16.Application Over Time
http://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=enhttp://oithosteddemo-s:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8-ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=en -
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page6 of 10
17.Click on Views->ObserveIT to see the following dashboard.18.The pies are clickable and you can click on servers, Users, Applications, Logins, and get the list
events that are related to your request.
18.end
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page7 of 10
2 CREATE OBSERVEIT INPUT LOG FILESUse the following SQL:
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page8 of 10
3 DEFINE DATA INPUT SOURCE
File: C:\Program Files\Splunk\etc\apps\ObserveIT\local\Inputs.conf
[monitor://D:\Users\ilan\Documents\ObserveIT\Splunk\LogFiles\1]
disabled = 0
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page9 of 10
4 TROUBLESHOOTING
4.1 Splunk : Delete all events
1. C:\Program Files\Splunk\bin>splunk.exe stop2. C:\Program Files\Splunk\bin>splunk.exe clean eventdata3. C:\Program Files\Splunk\bin>splunk.exe Start
4.2 Splunk : Reload events
splunk.exe stopsplunk.exe add oneshot D:\temp\LogFiles\3\Data_Query_v4.log -sourcetype ObserveITUserActivity
splunk.exe add oneshot C:\Monitor_Log_55_for_Splunk\log\Data_Query_v5.log -sourcetype ObserveITUserActivity
splunk.exe Start
Merry Christmas and happy New Year
4.3 Input.conf
Add the line in red
Restart splunk
[monitor://C:\temp\LogFiles\3]
disabled = false
followTail = 0sourcetype = ObserveIT User Activity
CHECK_FOR_HEADER=TRUE
Modify also: C:\Program Files\Splunk\etc\apps\learned\local\props.confAdd the following lines:[source::D:\temp\LogFiles\3\Data_Query_v4.log]sourcetype = ObserveIT User Activity
[ObserveIT User Activity]CHECK_FOR_HEADER = TRUE
[ObserveIT User Activity-2]KV_MODE = noneREPORT-AutoHeader = AutoHeader-1
-
5/28/2018 Step by Step Guide for ObserveIT Splunk Integration NOTES
Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveITinternal use only. No unauthorized copying or distribution permitted.
Page10 of 10
4.4 Enable automatic header-based field extraction
Enable automatic header-based field extraction for any source or source type by editing/ create props.conf. Edit this file in
$SPLUNK_HOME/etc/system/local/ , or your own custom application directory in$SPLUNK_HOME/etc/apps//local .
Note:If you are using Splunk in a distributed environment, be sure to place the props.confand transforms.conffiles that youupdate for header-based field extraction on your search head, not the indexer.
For more information on configuration files in general, see"About configuration files"in the Admin manual.
To turn on automatic header-based field extraction for a source or source type, add CHECK_FOR_HEADER=TRUEunder that source orsource type's stanza in props.conf.
Example props.confentry for an MS Exchange source:
[source::C:\temp\LogFiles\3\Data_Query_v4.log]
sourcetype=ObserveIT User Activity
[ObserveIT User Activity]
CHECK_FOR_HEADER=TRUE
4.5 ObserveIT Application main menu
C:\Program Files\Splunk\etc\apps\ObserveIT\default\data\ui\nav\default.xml
http://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfileshttp://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfileshttp://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfileshttp://docs.splunk.com/Documentation/Splunk/4.2.5/admin/Aboutconfigurationfiles