This app is designed to provide dashboards for Microsoft SharePoint 2010 or SharePoint 2013 and a set of starting dashboards covering health, audit and usage. The data collection provided by the TA-Sharepoint (http://apps.splunk.com/app/1908) includes the following:
This app will not work until all installation is completed. The installation process will take some time and some adjustment to the permissions structures that govern the SharePoint farm.
The "central Splunk instance" (consisting of search heads and indexers) can be any operating system. You must be running Splunk v6.2 or later on all Splunk servers within the central Splunk instance.
Splunk App for Microsoft SharePoint supports:
The backend storage for SharePoint is SQL Server. If you wish, install the Splunk App for SQL Server, which is available on Splunkbase, prior to commencing work on SharePoint. Note that there is a single panel in a single dashboard that utilizes the SQL Server data.
Create the following indices in the Splunk Indexers:
In addition, you must deploy the TA-Sharepoint app to the Indexers or Heavy Intermediate Forwarders. This add-on can be found on Splunkbase at http://apps.splunk.com/app/1908 You will need to restart the splunkd process to register this app on each indexer. You can disable the inputs within this app as they are not necessary.
The TA-Sharepoint add-on handles augmented line breaking and data fixing of the ULS logs so that each transaction is available as a single event instead of multiple events. This is required for exception reporting within the dashboards.
One of your SharePoint servers must be designated as an inventory and audit reader. This server will be used to gather the inventory information and to read the audit log within SharePoint. The Universal Forwarder that is installed on this SharePoint server will need special handling.
If you have multiple farms, then you must designate an Inventory and Audit Reader in each farm.
Each SharePoint server that is not the Inventory and Audit Reader host can get a standard "Local System" type install of the latest Splunk Universal Forwarder (version v6.2 or later). It should be linked to a Splunk Deployment Server so that you can easily push updated apps to the Universal Forwarder. It should be sending data to the central Splunk instance.
The Splunk Universal Forwarder that is running on the Inventory and Audit Reader must be running as a domain account. The domain accounts must have the following characteristics:
To add the database permissions properly, ensure you run the following command using machine administrator from a farm administrator account that has shell admin privileges to SharePoint_Config:
Get-SPDatabase | Add-SPShellAdmin -UserName 'DOMAIN\user'
Where DOMAIN\user is the username of the user running the Splunk Universal Forwarder.
If you have multiple farms, then the user involved is probably different for each farm. Each farm will need their own Inventory and Audit Reader.
The following add-ons need to be deployed to each server:
Ensure you follow the instructions for enabling the Audit and Inventory inputs on the Audit and Inventory Reader
Normally, the full URL that the user types in is not available in the logs. You need to adjust the logging specification for each web site in IIS as follows:
This needs to be completed on each SharePoint host that answers IIS queries (which is generally all of them).
Part of the app install will also enable a sharepoint role. Add users that will view the SharePoint data to the sharepoint role. Without this step, they may not be able to see the relevant data. As an alternative to this process, you can also edit the eventtypes supplied with the app to indicate which index the data resides in.
We need some data from the inventory and this is gathered on a regular basis. In general, this data is collected within the first hour of operation.
There is a dashboard under Searches and Reports -> Lookup Generators called the Lookup Table Builder. Use it to generate all the lookup tables.
Log into Splunk and open the Splunk App for SharePoint. Select Health -> Farm Errors. All errors in this report are significant.
If the modular inputs show errors, they will show up in the splunkd.log file. The most common will be something to the effect "SPFarm.Local == null", which would indicate a permissions problem. Specifically, the user that is being used to run the Splunk Universal Forwarder on the Audit and Inventory reader has not been added to the SPShellAdmin list with Add-SPShellAdmin.
If you get Farm Errors showing an SqlException 80131904, then it is likely that you have not provided access to all the databases. Log on to the Central Administration host as a farm administrator with shell admin rights on SharePoint_Config; bring up a PowerShell host using "Run as Administrator", and type the following:
Add-PsSnapIn Microsoft.SharePoint.PowerShell
Get-SPDatabase | Add-SPShellAdmin -UserName 'DOMAIN\user'
Replace the DOMAIN\user with the username of the user running the Splunk Universal Forwarder.
The most normal performance issue is from the Inventory and Audit Reader. I recommend running this on a separate host if performance is an issue.
Open source license, plus removal of TA as it is now separate.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.