topic Re: Find all assets in splunk in Splunk Search

Find all assets in splunk

JandrevdM — Thu, 01 Aug 2024 14:29:38 GMT

Hi, I am new to Splunk and would like to build a dashboard to find all hosts in environment. This should query all logs to pick up WSL environments, devices ingesting from my security tools and overall just anything with a hostname and classify it as domain joined, server or workstation.

I am using this to then see the devices that has the forwarder installed and then would correlate to see what devices require the splunk forwarder.

index="_internal" source="*metrics.log*" group=tcpin_connections | dedup hostname | table date_hour, date_minute, date_mday, date_month, date_year, hostname, sourceIp, fwdType ,guid ,version ,build ,os ,arch | stats count

Re: Find all assets in splunk

gcusello — Thu, 01 Aug 2024 14:43:58 GMT

Hi @JandrevdM ,

with this search you can have only the list of Universal Forwarders and not the list of all devices.

In addition you could have a more performat search in this way:

| tstats count where index=_internal BY host

If you want also other devices, you must use a different filter in where condition, e.g.:

| tstats count where index=_internal OR index=* BY host

Ciao.

Giuseppe

Re: Find all assets in splunk

JandrevdM — Thu, 01 Aug 2024 18:43:25 GMT

Hi @gcusello Thanks!

I also tried this but it takes ages to get results.

index=* | stats dc(computerName) as UniqueHostCount by computerName | where UniqueHostCount > 0 | stats max(timestamp) by computerName | table computerName

Re: Find all assets in splunk

gcusello — Thu, 01 Aug 2024 15:01:31 GMT

Hi @JandrevdM ,

what's in my search doesn't match your requirement?

then, if you want the list of all your assets, you don't need all that commands, but only a list of hosts.

then UniqueHostCount is always 1 in your search.

them you don't have timestamp from the first stats command, so you cannot use it in the second stats command because after a stats command you have only the fields in the stats.

At least, using tstats you have a more performant search.

Ciao.

Giuseppe

Re: Find all assets in splunk

PickleRick — Thu, 01 Aug 2024 18:18:05 GMT

You need to specify your needs more precisely. Finding sources of events is one thing, finding - for example - all hosts shown in firewall logs is a completely different cup of tea.