Forum Discussion

The-messenger_1's avatar
The-messenger_1
Icon for Nimbostratus rankNimbostratus
Oct 20, 2017

How to search sessions for a specific variable value

ActiveSync sessions don't always provide great data for troubleshooting. I would like to be able to search sessions by access policy, server address and user name. With the variables I have this would be session.server.network.name session.assigned.uuid session.access.profile

 

With our splunk data I don't have these variables When I try to create a custom APM report I don't have these variables When I click manage sessions I can't search or filter these variables.

 

For splunk I think I need to hit up the analytics app thread but aside from that, is it possible to search on these?

 

APM
application delivery

2 Replies

Sort By
  • Kevin_Davies's avatar
    Kevin_Davies
    Icon for MVP rankMVP
    Oct 21, 2017

    Does splunk scoop up the APM logs from /var/log/apm. It should be setup to do so. Then you can add a logging agent to your policy to log the contents of those variables.

     

  • Stanislas_Piro2's avatar
    Stanislas_Piro2
    Icon for Cumulonimbus rankCumulonimbus
    Oct 23, 2017

    Hi,

     

    Which logs are you sending to Splunk?

     

    if you want to log traffic log for troubleshooting, you can configure request logging profile

     

    look at this link where I provided the configuration of request logging profile for grayling based on the previous irule posted by winston.

     

    with this configuration, you can use the irule to include HTTP headers in request.

     

    All HTTP headers available when logging profile is evaluated can be included in templates

     

    • between HTTP_REQUEST_SEND and HTTP_REQUEST_RELEASE for request and response templates
    • between HTTP_REQUEST_SEND and HTTP_REQUEST_RELEASE for response template

    the benefit of this link is log format is JSON which is compatible with most of SIEM without requiring writing parser.