New to splunk. I've setup CylancePROTECT App for Splunk. You may be familiar with this, but Cylance has “Zones” that it uses to group and classify devices for a client. So we have one portal setup where each client has their own "Zone". I am needing to specify a particular zone in a search string that will filter only devices within that zone and then create a table that lists only these Cylance Fields – Device Name, Created, Is Online, Offline Date, User
I have been messing around and have found that these search strings are close to providing all of the information I need, but I don’t know how to filter or list only the fields that I want. These commands have every field and also lists every time the device comes up in the logs. I just need 1 row per device.
eventtype=cylance_index sourcetype=device | stats list by "Zones" eventtype=cylance_index sourcetype=device | stats list by "Device Name"
I would also like to schedule a week/month report for every one of our zones so we’ll know the amount of devices, which are offline and for how long.
eventtype=cylance_index sourcetype=device "Zones"=<zone you want> | stats values(*) as * by "Zones"
eventtype=cylance_index sourcetype=device "Zones"=<zone you want> | stats values(*) as * by "Device Name"
If you want to get a bit more granular as to which fields are displayed, you can specify it in your search. For example:
eventtype=cylance_index sourcetype=device | stats list("Agent Version"), list("Device Name"), list("OS Version"), list("Policy"), list("Files Analyzed") by Zones
Then, if you want to specify the particular zone you want to look at... add it to the start of the search (ex: test zone):
eventtype=cylance_index sourcetype=device zone=test | stats list("Agent Version"), list("Device Name"), list("OS Version"), list("Policy"), list("Files Analyzed") by Zones
You can also end the strings with a "| rename" to pretty up the column headers if desired. I hope that helps.
Thanks for the advice. The app is configured and working properly. I would think my question would be more related to splunk search functions. I was hoping a splunk guru would be able to see this and assist. Is that not what this question/answer system is designed for?