topic Devices In Splunk- How can I create syntax, an alert, and create a table? in Splunk Search

Devices In Splunk- How can I create syntax, an alert, and create a table?

codeJesus — Mon, 10 Oct 2022 14:06:49 GMT

Hello,

please can someone assist with creating syntax to

1. know the numbers of desktop, laptops, servers and network devices that I have onboarded into Splunk cloud?

2. Create alert if a new device is onboarded?

3. Count the numbers of the different types of devices that have been onboarded

4. create a table for the above

thanks

Re: Devices In Splunk

gcusello — Mon, 10 Oct 2022 12:12:02 GMT

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

desktop and laptops data in the wineventlog index,
windows servers data in the winservers index
linux servers in the os index
network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* | stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ] | stats count By host

It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

windows servers hostname start with srvwinxxxxx,
desktop and laptops hostname start with dskwinxxxx,
linux servers hostname start with srvlnxxxxx,
network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

Ciao.

Giuseppe

Re: Devices In Splunk- How can I create syntax, an alert, and create a table?

codeJesus — Fri, 21 Oct 2022 08:14:00 GMT

Thanks for this.

does any one know the SPL to check for the windows OS types that have been ingested into Splunk? I have run several SPL queries but it didnt work

Re: Devices In Splunk- How can I create syntax, an alert, and create a table?

gcusello — Fri, 21 Oct 2022 08:21:53 GMT

Hi @codeJesus,

to check the Windows OS ingested you have to install the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742) and enable the input (WinHostMon://OperatingSystem) that sends you the information about the OS.

Then you have only to display these information.

It's obviously a data that doesn't change so frequently, so you can extract it also une time a day or one time a week.

Ciao.

Giuseppe

Re: Devices In Splunk- How can I create syntax, an alert, and create a table?

gcusello — Fri, 21 Oct 2022 08:22:26 GMT

Hi @codeJesus ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉