topic Re: Finding whether firewall hosts sending logs to splunk ? in Splunk Search

Finding whether firewall hosts sending logs to splunk ?

splunker969 — Mon, 13 Nov 2017 14:46:30 GMT

Hi ,
I have a list of firewall hosts names and some ips of firewall and i created the lookup of all host names of firewall along with soem with ip names .Since when iam searching below query iam getting inconsistent results .If i run below query .

|inputlookup firewall.csv | join type=left host [|metadata index=pan* OR index=cisco* OR index=juniper* ] | fillnull value=0 lastTime | search lastTime!=0 | convert ctime(lastTime) | fields host lastTime totalCount |sort lastTime

Since when i search for
index=pan* OR index=cisco* OR index=juniper* |stats count by host
correct results .Since using "*" and checking for index with larger time period is taking long time .Please help with query ?

Q:Currently we have list of firewall host names and ips .our goal is to find whether these hosts are sending logs to splunk ?

Re: Finding whether firewall hosts sending logs to splunk ?

gcusello — Mon, 13 Nov 2017 15:04:43 GMT

HI splunker969,
at first invert your main search (inputlookup) with the subsearch, because in subsearches there's the limit of 50,000 results.
What's the result you are waiting for?

Your search isn't visible (use Code Sample button).

if you want to check if all hosts of your lookup send logs, you could run something like this:

| metadata index=pan* OR index=cisco* OR index=juniper*
| eval host=upper(host)
| stats count by host
| append [ | inputlookup firewall.csv | eval host=upper(host), count=0 | fields host count ]
| stats sum(count) AS Total BY host

In this way hosts where Total=0 are missed, hosts with Total>0 are present.

Bye.
Giuseppe

Re: Finding whether firewall hosts sending logs to splunk ?

splunker969 — Mon, 13 Nov 2017 15:43:43 GMT

Hi cusello Thanks

Firstly thanks for answers .Since it is showing count = o and count >0 .Also added the" type=hosts",in btw the |metadata and index,
Since I have two columns in csv one host and other is firewall where .When I serach for above query that you gave me is not showing any results in lookup .Showing all results.Also is there any chance if i can search as like |Search firewall =y after lookup csv file so that i can get information which is only present in csv file .Since i performed attaching it to search gives different results .Which do not give results from csv file .

Re: Finding whether firewall hosts sending logs to splunk ?

gcusello — Mon, 13 Nov 2017 16:05:34 GMT

did you checked if lookup's hosts are present in search?
maybe in search hosts are listed with IP instead hostname.
try with

| search index=pan* OR index=cisco* OR index=juniper*
| eval host=upper(host)
| stats count by host

and see what's the result.
Bye.
Giuseppe

Re: Finding whether firewall hosts sending logs to splunk ?

splunker969 — Mon, 13 Nov 2017 16:13:40 GMT

Hi cusello ,I have checked list that contain the hostname .If we use tstats will that give correct results instead of metadata ?

Re: Finding whether firewall hosts sending logs to splunk ?

gcusello — Mon, 13 Nov 2017 16:15:57 GMT

infact I usually use | metasearch and not | metadata
Bye.
Giuseppe