topic Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type in Splunk Search

How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

SplunkLunk — Thu, 23 Jun 2016 14:02:04 GMT

Good morning,

First time poster here. Our organization manages Splunk and allows other people access to Search. However, they have an index for just OS logs so Windows and Linux are mixed in with each other. I'm also trying to find out when the last time a "WinEventLog" source talked to Splunk so I can query machines that are not communicating.

So, can someone tell me how I can search for a Windows host that hasn't forwarded a "WinEventLog" in "X" minutes? I can do the search for the latter part. However, since Linux hosts will never forward a "WinEventLog", I would get the list of Linux hosts within the result. I would really appreciate any help you can give me. Thanks!

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

woodcock — Thu, 23 Jun 2016 23:59:04 GMT

Just setup a Distributed Management Console (DMC). It is easy and you will have to do it sooner or later and it does all that you need now and WAAAAAAY more, most of which you will (know that you) need soon enough:

http://docs.splunk.com/Documentation/Splunk/6.4.1/DMC/DMCoverview

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

ddrillic — Fri, 24 Jun 2016 00:19:53 GMT

Exactly as woodcock said - The DMC has a section for the forwarders and you can produce a report of the "missing" ones.

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

SplunkLunk — Fri, 24 Jun 2016 12:17:30 GMT

Thanks. But that's not an option for me since I don't administer the console. I could make that request but right now the only tool I have available to me is search. So although the DMC would be the easy way, I need a way to do the equivalent (or similar) via search.

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

woodcock — Sat, 25 Jun 2016 02:56:10 GMT

You will need 2 searches

The first search maintains a list of hosts that have ever been seen (so you can tell when they disappear). Schedule this search to run every hour for the last hour:

| tstats values(host) AS host WHERE index=<YourIndexHere> sourcetype=WinEventLog | mvexpand host
| appendpipe [|inputcsv WinEventLogHosts.csv ]
| dedup host
| outputcsv WinEventLogHosts.csv

Next schedule this alert to run every minute for the last 5 minutes:

| tstats values(host) AS host WHERE index=<YourIndexHere> sourcetype=WinEventLog | eval type="NEW" | mvexpand host
| appendpipe [|inputcsv WinEventLogHosts.csv | eval type="OLD"]
| stats dc(type) as numTypes values(*) AS * by host
| search numTypes=1 AND type="OLD"

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

SplunkLunk — Mon, 27 Jun 2016 13:10:21 GMT

Thanks. I will give this a try and see if it will work for me. I'll report back in the next day or so.

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

woodcock — Mon, 27 Jun 2016 18:09:35 GMT

With a bit of work, you could get all of this to run in a single search but this is more clear and obvious.

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

SplunkLunk — Mon, 25 Jul 2016 18:13:02 GMT

woodcock, I know this has been a while but I didn't notice until our admins gave me access to another domain last week. The first search above works, but it pulls a list from all the domains I have access to. Not just the one defined in the WHERE index= [my index] clause. Any idea why that happens? I explicity state the index and it shows me a combined list from six indexes I have access to. Yet, if I take out the WHERE clause the search doesn't work. So the clause is required but it acts like it's being ignored. Any idea why that would be?

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

SplunkLunk — Mon, 25 Jul 2016 18:25:26 GMT

Disregard. Figured it out

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

SplunkLunk — Mon, 25 Jul 2016 19:47:24 GMT

woodcock,

So I'm assuming I would schedule the cron job to run -5m (earliest) to now (latest) and the cron expression would be /1***? Also, what would the trigger be? I'm assuming I'd want to report on anything that shows up as "NEW". Would that be a custom trigger? Sorry to be a pest.

Re: How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

woodcock — Mon, 25 Jul 2016 20:58:10 GMT

It is whatever your X is. Let's say your reporting threshold is 5 minutes (if a server doesn't log for 5 minutes then it is down). The decide how soon you need to be notified with a number equal-to or less than 5, for example, within 1 minute, then the period will be Every minute or */1 * * * *.