topic Re: Host and OS type in Getting Data In

Host and OS type

jawehren — Sat, 23 Oct 2010 00:56:41 GMT

How do I phrase a search to give me all the machines sending data and their OS type?

Re: Host and OS type

Genti — Sat, 23 Oct 2010 00:59:57 GMT

host=*

i do not think there is a way to find out their OS, unless you have some script running uname -a and splunk eating its output...

Re: Host and OS type

southeringtonp — Sat, 01 Jan 2011 13:47:49 GMT

The best approach is almost certainly going to be to use a lookup table.

See the link for information on setting up a CSV-based lookup. Once you have such a lookup, you'll be able to do a search such as:

| metadata hosts | lookup mylookup host OUTPUT operating_system

If you have a scripted input running uname -a as Genti suggests, that can be used to populate your table, e.g.:

sourcetype=uname | fields host, operating_system | outputlookup mylookup

Another approach, if you're lucky enough to have all systems in some form of directory would be to use a scripted lookup that leverages LDAP to query (for example) Active Directory.

In a real pinch, you may be able to partially fill your CSV file from data within Splunk. For example, if you see WMI events, you can safely assume that it's a Windows system, and if you see 'ASA' or 'PIX' in syslog data, it's clearly a Cisco firewall.

Ultimately though, the chances are you'll need to manually populate the CSV file.

Re: Host and OS type

JSapienza — Mon, 10 Jun 2013 14:21:44 GMT

I know this is an old thread but, here is how I do it :

index=_internal fwdType="*"|dedup sourceHost| table sourceHost, os