topic Re: Filtering by OS in Splunk Search

Filtering by OS

johnfrias — Tue, 14 Jul 2020 21:10:23 GMT

I have the outcome of my search results but I want to filter by only OS. I was able to get all the results but need to filter it down to Windows Server OS's. What am I missing?

Current search: index="myindex" "eventcode=NUMBER"

Re: Filtering by OS

bowesmana — Tue, 14 Jul 2020 22:29:33 GMT

Can you provide an example of your data, otherwise it's impossible to know how OS is represented as a Splunk field.

Re: Filtering by OS

anmolpatel — Wed, 15 Jul 2020 02:24:04 GMT

Are you ingesting the WinHostMon data?

Check using this search

index=myindex sourcetype=WinHostMon source=operatingsystem | stats count by OS host

If you're, than this should help

index=myindex sourcetype=WinHostMon source=operatingsystem | stats values(OS) as OS by host | append [search index=myindex sourcetype=wineventlog source=WinEventLog:Security | stats VALUES(EventCode) AS EventCode BY host ] | stats VALUES(*) AS * BY host

Re: Filtering by OS

johnfrias — Wed, 15 Jul 2020 13:07:37 GMT

Thanks for your response. The first command against my index didn't populate any data. I did this for any other of my indexes and nothing came up as well.

Re: Filtering by OS

danielansell — Wed, 15 Jul 2020 14:25:55 GMT

Splunk can only help if you have the data available to filter. As someone else mentioned, winhostmon data will get OS data into Splunk. I use the Splunk Windows TA to get this data into Splunk. Then when I want to search on a specific class, I use a subsearch

index=main EventCode=4624 Logon_Type=2 [index=windows OS="Microsoft Windows 10*" | fields host]

That subsearch looks for all systems with a Windows 10 variant (enterprise, pro, etc) and effectively adds the hostnames as an 'OR' to your base search - basically it becomes

index=main EventCode=4624 Logon_Type=2 host1 OR host2 OR host3 OR host4

If you don't have OS data in Splunk, but need the data now, you may be able to get creative and use the host name if you have a good naming convention in place - that is, if you know all workstations are running Win 10 Pro, and all workstation names start with WKS, you could simply use something like this:

index=main host=wks* EventCode=4624 Logon_Type=2

That last example would just be a bandaid solution though - I wouldn't use that as a long term solution as naming conventions tend to change or systems are named improperly and then you have bad data.