topic Re: Splunk data logs spreadsheet in Reporting

Splunk data logs spreadsheet

tacobell — Fri, 03 Jul 2015 22:57:39 GMT

I'm new to Splunk - and have been asked to create a spreadsheet that my global company can use to baseline our Proof of Concept (POC),
Specifically, how do you identify what you are forwarding e.g. if I wanted to identify specific machines what is the best approach .....to identify the log type or the machine type?????? Would the below be the best approach????

And then add for example "firewall with IPS" Under "Security" ???
Or "Cisco switch" under "network"?

Re: Splunk data logs spreadsheet

alacercogitatus — Mon, 06 Jul 2015 12:51:22 GMT

Knowing this level of data requires you to enhance the data with Splunk asset lookups. The simplest approach is to say:

|tstats count by sourcetype source host

This will give you a count by each piece of metadata, most of which clue you in to what the data is. For example, access_combined is a default standard for Apache Web logs. WinEventLog:Security is the Windows Security log. If you need to go deeper than that, you will have to tell Splunk (via lookup) what each host in the environment is, what it does, etc....