<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Identifying non-reporting hosts via correlation with DNS. in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103919#M21869</link>
    <description>&lt;P&gt;Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!&lt;/P&gt;</description>
    <pubDate>Sat, 27 Oct 2012 15:25:34 GMT</pubDate>
    <dc:creator>rmckerchar</dc:creator>
    <dc:date>2012-10-27T15:25:34Z</dc:date>
    <item>
      <title>Identifying non-reporting hosts via correlation with DNS.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103917#M21867</link>
      <description>&lt;P&gt;Hi guys,&lt;/P&gt;

&lt;P&gt;I'm trying to define a search to spot Active Directory domain controllers which have not (and possibly never have) sent theie security logs into Splunk.&lt;/P&gt;

&lt;P&gt;I can easily get a list of domain controllers from DNS (_ldap._tcp.dc._msdcs. SRV records). First stage I'd simply like to paste this list into a search and then do a set operation to subtract hosts which we've received data from. Later I guess I could get splunk to do the DNS query too.&lt;/P&gt;

&lt;P&gt;Something like, to mix splunk &amp;amp; SQL syntax:&lt;/P&gt;

&lt;P&gt;["list of DCs here" as host] host NOT IN [search sourcetype="wineventlog:security" | dedup host | fields host]&lt;/P&gt;

&lt;P&gt;To show me everything in the first list which doesn't match a host in the second.&lt;/P&gt;

&lt;P&gt;regards,&lt;/P&gt;

&lt;P&gt;-ross&lt;/P&gt;</description>
      <pubDate>Mon, 28 Sep 2020 12:41:56 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103917#M21867</guid>
      <dc:creator>rmckerchar</dc:creator>
      <dc:date>2020-09-28T12:41:56Z</dc:date>
    </item>
    <item>
      <title>Re: Identifying non-reporting hosts via correlation with DNS.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103918#M21868</link>
      <description>&lt;P&gt;You could store your DC list in a csv and use lookup, just index a list of DCs, or WMI query AD peroidicly..   Once your have your complete search just use the diff command.  You probably have to play around a bit with the your results.&lt;/P&gt;

&lt;P&gt;&lt;CODE&gt;&lt;/CODE&gt;&lt;PRE&gt;&lt;CODE&gt;&lt;BR /&gt;
... | diff pos1=1 pos2=3 attribute=domain_contorller&lt;BR /&gt;
&lt;/CODE&gt;&lt;/PRE&gt;&lt;/P&gt;

&lt;P&gt;Hope this helps you. Cheers.&lt;/P&gt;

&lt;P&gt;&lt;STRONG&gt;Please don't forget to click accept and up this post, if it helps you.&lt;/STRONG&gt;&lt;/P&gt;

&lt;P&gt;Additional reading:&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Diff"&gt;Diff&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="http://blogs.splunk.com/2009/07/27/enriching-data-with-lookups-part-1/"&gt;enriching-data-with-lookups-part-1&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="http://blogs.splunk.com/2009/09/14/enriching-data-with-db-lookups-part-2/"&gt;enriching-data-with-db-lookups-part-2&lt;/A&gt;&lt;/P&gt;

&lt;P&gt;&lt;A href="http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Addfieldsfromexternaldatasources"&gt;CreateAndConfigureFieldLookups&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Fri, 26 Oct 2012 15:56:14 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103918#M21868</guid>
      <dc:creator>bmacias84</dc:creator>
      <dc:date>2012-10-26T15:56:14Z</dc:date>
    </item>
    <item>
      <title>Re: Identifying non-reporting hosts via correlation with DNS.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103919#M21869</link>
      <description>&lt;P&gt;Ta very much. I started this but then just switch to deploy Splunk for Active Directory app instead!&lt;/P&gt;</description>
      <pubDate>Sat, 27 Oct 2012 15:25:34 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103919#M21869</guid>
      <dc:creator>rmckerchar</dc:creator>
      <dc:date>2012-10-27T15:25:34Z</dc:date>
    </item>
    <item>
      <title>Re: Identifying non-reporting hosts via correlation with DNS.</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103920#M21870</link>
      <description>&lt;P&gt;Here's how I ended up solving this:&lt;/P&gt;

&lt;P&gt;| set diff [ | set union [| ldapsearch domain="DOMAIN1" search="(&amp;amp;(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] [| ldapsearch domain="DOMAIN2" search="(&amp;amp;(objectClass=computer)(userAccountControl:1.2.840.113556.1.4.803:=532480))"] | fields cn | fields - _* | eval host=cn | fields - cn&lt;BR /&gt;
] [ search index=winsec | dedup host | eval host=upper(host) | fields host | fields - _* ]&lt;/P&gt;

&lt;P&gt;So, &lt;/P&gt;

&lt;OL&gt;
&lt;LI&gt;Do some LDAP searches to get DCs for a couple of our domains (had to do a union here as I domain=A OR domain=B didn't seem to work in conjuction with the ldapsearch app)&lt;/LI&gt;
&lt;LI&gt;Rename the cn field as host. &lt;/LI&gt;
&lt;LI&gt;Diff against a search which returns all DCs only (in our case this was a specific index used by DC security logs). Upper the host field to get around case differences.&lt;/LI&gt;
&lt;/OL&gt;

&lt;P&gt;Interestingly, the "fields somefield - _*" syntax didn't work as a filter here, hence multiple use of "fields". One to select fields, one to filter out the ones I didn't want.&lt;/P&gt;

&lt;P&gt;-ross&lt;/P&gt;</description>
      <pubDate>Thu, 08 Nov 2012 15:22:33 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Identifying-non-reporting-hosts-via-correlation-with-DNS/m-p/103920#M21870</guid>
      <dc:creator>rmckerchar</dc:creator>
      <dc:date>2012-11-08T15:22:33Z</dc:date>
    </item>
  </channel>
</rss>

