https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415615#M9645 <P>So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.</P> Fri, 26 Oct 2018 17:56:00 GMT ShaunBaker 2018-10-26T17:56:00Z https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415611#M9641 <P>I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?</P> Fri, 12 Oct 2018 00:35:21 GMT https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415611#M9641 ShaunBaker 2018-10-12T00:35:21Z https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415612#M9642 <P>I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&amp;Identity framework).</P> <P>Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?</P> Fri, 12 Oct 2018 08:10:23 GMT https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415612#M9642 FrankVl 2018-10-12T08:10:23Z https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415613#M9643 <P>I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around. </P> <P>I do have a UF on the VMs in question.</P> <P>Hoping to use Splunk to help with generating my CMDB haha.</P> Tue, 16 Oct 2018 23:20:10 GMT https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415613#M9643 ShaunBaker 2018-10-16T23:20:10Z https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415614#M9644 <P>Right, ok <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).</P> <P>Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.</P> Wed, 17 Oct 2018 08:24:19 GMT https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415614#M9644 FrankVl 2018-10-17T08:24:19Z https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415615#M9645 <P>So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.</P> Fri, 26 Oct 2018 17:56:00 GMT https://community.splunk.com/t5/Reporting/How-do-you-get-a-report-of-machines-that-are-VMs/m-p/415615#M9645 ShaunBaker 2018-10-26T17:56:00Z