topic Is it possible to have SPLUNK reporting every computer usage on the network and how? in Splunk Search

Is it possible to have SPLUNK reporting every computer usage on the network and how?

tweedyloebus — Fri, 09 Mar 2018 16:03:37 GMT

I would like to be able to run a report showing the computer usage of every client on my network. Is there a way I can do it in SPLUNK? If so what is the exact SPLUNK search command that I can use?

Re: Is it possible to have SPLUNK reporting every computer usage on the network and how?

richgalloway — Fri, 09 Mar 2018 20:29:50 GMT

If Splunk is receiving computer usage information about every client on your network then you can report on it. The exact search depends on the computer platforms used, the data you have, and the indexes in which you store the data.
If you can provide more details about your environment, we may be able to help.

Re: Is it possible to have SPLUNK reporting every computer usage on the network and how?

tweedyloebus — Fri, 09 Mar 2018 21:30:29 GMT

Thank you for your reply to my post. We have Windows 7, Windows XP, Windows Server 2000, Windows Server 2008, Windows Server 2012 and Linux.

Re: Is it possible to have SPLUNK reporting every computer usage on the network and how?

richgalloway — Sat, 10 Mar 2018 02:33:51 GMT

That's not a lot to work with. First, replace Windows XP with something recent.
Second, what data are you collecting from these operating systems? That will govern how you search.

Re: Is it possible to have SPLUNK reporting every computer usage on the network and how?

p_gurav — Sat, 10 Mar 2018 10:48:14 GMT

Yes, Its possible. If all clients are sending data to your Splunk instance. If that's the case, can you share sample data?

Re: Is it possible to have SPLUNK reporting every computer usage on the network and how?

Richfez — Sun, 11 Mar 2018 12:54:52 GMT

Hi, tweedyloebus!

This is a rather a big topic as you may have guessed from some of the comments so far, so let's break that down a bit.

First, some background help. The Splunk Fundamentals 1 class is free! I'd suggest that if you haven't taken that yet to do so. It will take about one working day to get through and will give you a decent grounding upon which to build.

Then go through the Splunk Tutorial, which is ALSO free. This is a more "interactive" tutorial on using some actual data to do some actual things.

When you have those two things completed, I think the following very vague, "list of things you'll need to do" will make a lot more sense to you.

First, define what you mean by "computer usage of every client on my network." This could mean logins and logoffs to the PCs, CPU usage of each one as the day progresses, websites they visit, or perhaps just amount of traffic they generate, and when, for all activities on the internet. You have to define what it is you are measuring before you can measure it.

Second, determine the data sources you can use for the data that would tell you this. Using my previous examples:
- Logins/Logoffs could come from Windows Event Logs and Domain Controller logs
- CPU usage from perfmon
- Websites (specifically) could come from any number of web proxies, or maybe your network's firewall (or possibly even the local firewalls on individual systems?)
- Network traffic will come from your network's edge firewall.

Third, now that you've determined what data source, you'll need to look through Splunkbase and The Most Excellent Documentation to find out if someone else has already written an app to handle that data already.

Fourth, you'll probably have to make some adjustments to that data. In all cases, you'll have to turn on the inputs needed so that you can start collecting the data. You haven't mentioned your Splunk environment at all - at this point I'd suggest setting up a simple test splunk install, in addition to your production system, so you can use that for the first stab at getting this data in and make sure you are doing it right before committing it to your production instances! (And for that, even just a smallish VM can be enough - you don't have to, for instance, turn on ALL 200 systems' event logs to it for testing - just a handful to make sure the data comes in right, is parsed correctly and will answer your questions).

Fifth, well, this is where the real fun starts. Making sense of your data! Well, that and building cool reports and charts and helping others to really "see" what the data is telling them.

Anyway, I hope this helps! It's a big topic, but I think if you take those two pieces of free training you'll be much better off in the end!

Happy Splunking,
Rich