https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236653#M70311 <P>Looks like Splunk could be very useful in performing an inventory of systems. I have a report that runs with these parameters:</P> <PRE><CODE>Src_IP="10.3.30.*" | stats dc(Src_IP) as Src_IP by Security_ID Src_IP | sort src_IP ( *Run this with a time frame of TODAY*) </CODE></PRE> <P>It works pretty good and is usable, but I was wondering if some of you long time Splunkers could help me refine it. My output is currently:</P> <PRE><CODE>MyDomain\System1 10.3.30.15 MyDomain\FSmith 10.3.30.15 NULL SID 10.3.30.15 MyDomian\System2 10.3.30.20 MyDomain\BJones 10.3.30.20 NULL SID 10.3.30.20 </CODE></PRE> <P>So this lets me know that FSmith is using System1 and through a couple of days of checking I can reasonably surmise that FSmith is the dominate user of this system. Same with BJones and System2. How can I make it avoid the NULL SID entry? Is there a way to make it produce output like this:</P> <PRE><CODE>MyDomain\System1 FSmith 10.3.30.15 MyDomian\System2 BJones 10.3.30.20 </CODE></PRE> <P>or better yet </P> <PRE><CODE>System1 FSmith 10.3.30.15 System2 Bjones 10.3.30.20 </CODE></PRE> <P>These systems are remote, so I can't just walk over and do a visual inventory. And we have a couple of remote sites.</P> Mon, 02 May 2016 18:34:37 GMT geoeldsul 2016-05-02T18:34:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236653#M70311 <P>Looks like Splunk could be very useful in performing an inventory of systems. I have a report that runs with these parameters:</P> <PRE><CODE>Src_IP="10.3.30.*" | stats dc(Src_IP) as Src_IP by Security_ID Src_IP | sort src_IP ( *Run this with a time frame of TODAY*) </CODE></PRE> <P>It works pretty good and is usable, but I was wondering if some of you long time Splunkers could help me refine it. My output is currently:</P> <PRE><CODE>MyDomain\System1 10.3.30.15 MyDomain\FSmith 10.3.30.15 NULL SID 10.3.30.15 MyDomian\System2 10.3.30.20 MyDomain\BJones 10.3.30.20 NULL SID 10.3.30.20 </CODE></PRE> <P>So this lets me know that FSmith is using System1 and through a couple of days of checking I can reasonably surmise that FSmith is the dominate user of this system. Same with BJones and System2. How can I make it avoid the NULL SID entry? Is there a way to make it produce output like this:</P> <PRE><CODE>MyDomain\System1 FSmith 10.3.30.15 MyDomian\System2 BJones 10.3.30.20 </CODE></PRE> <P>or better yet </P> <PRE><CODE>System1 FSmith 10.3.30.15 System2 Bjones 10.3.30.20 </CODE></PRE> <P>These systems are remote, so I can't just walk over and do a visual inventory. And we have a couple of remote sites.</P> Mon, 02 May 2016 18:34:37 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236653#M70311 geoeldsul 2016-05-02T18:34:37Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236654#M70312 <P>Can you post some sample logs which contains all three type of entry for Security_ID field? (one containing system, second containing user and third with NULL SID)</P> Mon, 02 May 2016 19:26:09 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236654#M70312 somesoni2 2016-05-02T19:26:09Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236655#M70313 <P>No. Unfortunately these systems are isolated and cannot reach the internet. You can probably see the same type logs in your Windows Security Logs. <BR /> LogName=Security<BR /> SourceName=Microsoft Windows Security Auditing<BR /> EventCode=4624<BR /> EventType=0</P> Tue, 03 May 2016 11:14:01 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236655#M70313 geoeldsul 2016-05-03T11:14:01Z https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236656#M70314 <P>Ok. Sort of got it figured out. The Answer ... just change what is being searched.</P> <P>The following is providing better output:</P> <PRE><CODE>src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host </CODE></PRE> <P>Example output returned is:</P> <PRE><CODE>src_nt_host user src_ip system1 JTKirk 10.1.30.15 system2 MRSpock 10.1.30.17 </CODE></PRE> Wed, 11 May 2016 12:51:45 GMT https://community.splunk.com/t5/Splunk-Search/How-do-I-edit-my-report-on-inventory-of-systems-to-get-my/m-p/236656#M70314 geoeldsul 2016-05-11T12:51:45Z