Vous êtes sur la page 1sur 10

Step By Step Guide for ObserveIT and Splunk integration

Last Saved Date March 26, 2014 Revision 1.2

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 1 of 10

1 USING SPLUNK
1. http address: http://10.2.56.71:8000/en-US/app/ObserveIT/ 2. user : admin 3. password: admin

4. To view User Activity Pie over time. Click on Search & reports 5. Select ObserveIT-Users over time

6. You will get the following results

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 2 of 10

7. If you move the mouse over the pie, you will see the statistical data of the users activity

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 3 of 10

8. If you click on the users pie , you will get a new IE window with the list of meta data details of the user

9. Copy the HTTP video link and paste it into your Internet Explorer address 10. Make sure that your machine recognizes OITHostedDemo-S as 184.106.234.181 11. It can be done by modifying file: C:\Windows\System32\drivers\etc\hosts 12. Add the following line to the end of the file and save it 184.106.234.181 oithosteddemo-s

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 4 of 10

13. If NOT, then change OITHostedDemo-S to 184.106.234.181 http://OITHostedDemo-S:4884/ObserveIT/SlideViewer.aspx?SessionID=CE1A0D4E-C342-48B8ADC5-6CFB7F9A7702&DisplayOnAir=false&lang=en 14. You will need to provide ObserveIT user /password to see the video 15. The following report is also available from Search & Reports : ObserveIT-Server Usage (Top Values)

16. Application Over Time

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 5 of 10

17. Click on Views->ObserveIT to see the following dashboard. 18. The pies are clickable and you can click on servers, Users, Applications, Logins, and get the list of events that are related to your request.

18.end

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 6 of 10

2 CREATE OBSERVEIT INPUT LOG FILES


Use the following SQL:

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 7 of 10

3 DEFINE DATA INPUT SOURCE

File: C:\Program Files\Splunk\etc\apps\ObserveIT\local\Inputs.conf

[monitor://D:\Users\ilan\Documents\ObserveIT\Splunk\LogFiles\1] disabled = 0

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 8 of 10

4 TROUBLESHOOTING
4.1 Splunk : Delete all events

1. C:\Program Files\Splunk\bin>splunk.exe stop 2. C:\Program Files\Splunk\bin>splunk.exe clean eventdata 3. C:\Program Files\Splunk\bin>splunk.exe Start 4.2 Splunk : Reload events

splunk.exe stop
splunk.exe add oneshot D:\temp\LogFiles\3\Data_Query_v4.log -sourcetype ObserveITUserActivity splunk.exe add oneshot C:\Monitor_Log_55_for_Splunk\log\Data_Query_v5.log -sourcetype ObserveITUserActivity

splunk.exe Start

Merry Christmas and happy New Year 4.3 Input.conf

Add the line in red Restart splunk

[monitor://C:\temp\LogFiles\3] disabled = false followTail = 0 sourcetype = ObserveIT User Activity CHECK_FOR_HEADER=TRUE

Modify also: C:\Program Files\Splunk\etc\apps\learned\local\props.conf Add the following lines: [source::D:\temp\LogFiles\3\Data_Query_v4.log] sourcetype = ObserveIT User Activity [ObserveIT User Activity] CHECK_FOR_HEADER = TRUE [ObserveIT User Activity-2] KV_MODE = none REPORT-AutoHeader = AutoHeader-1

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 9 of 10

4.4

Enable automatic header-based field extraction

Enable automatic header-based field extraction for any source or source type by editing/ create props.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/<app_name>/local. Note: If you are using Splunk in a distributed environment, be sure to place the props.conf and transforms.conf files that you update for header-based field extraction on your search head, not the indexer. For more information on configuration files in general, see "About configuration files" in the Admin manual. To turn on automatic header-based field extraction for a source or source type, add CHECK_FOR_HEADER=TRUE under that source or source type's stanza in props.conf. Example props.conf entry for an MS Exchange source:

[source::C:\temp\LogFiles\3\Data_Query_v4.log] sourcetype=ObserveIT User Activity [ObserveIT User Activity] CHECK_FOR_HEADER=TRUE

4.5

ObserveIT Application main menu


C:\Program Files\Splunk\etc\apps\ObserveIT\default\data\ui\nav\default.xml <nav> <view name="flashtimeline" default='true' /> <collection label="Views"> <view source="unclassified" /> <divider /> </collection> <collection label="Searches &amp; Reports"> <collection label="Reports"> <saved source="unclassified" match="report" /> </collection> <divider /> <saved source="unclassified" /> </collection> </nav>

Copyright 2011 ObserveIT Ltd. All rights reserved. Confidential and proprietary information for ObserveIT internal use only. No unauthorized copying or distribution permitted.

Page 10 of 10