All Apps and Add-ons

CylancePROTECT App for Splunk: Is there a way to create a search to filter out results by 1 field and create a table that shows only desired fields?

Engager

New to splunk. I've setup CylancePROTECT App for Splunk. You may be familiar with this, but Cylance has “Zones” that it uses to group and classify devices for a client. So we have one portal setup where each client has their own "Zone". I am needing to specify a particular zone in a search string that will filter only devices within that zone and then create a table that lists only these Cylance Fields – Device Name, Created, Is Online, Offline Date, User

I have been messing around and have found that these search strings are close to providing all of the information I need, but I don’t know how to filter or list only the fields that I want. These commands have every field and also lists every time the device comes up in the logs. I just need 1 row per device.

eventtype=cylance_index sourcetype=device | stats list by "Zones" 
eventtype=cylance_index sourcetype=device | stats list by "Device Name"

I would also like to schedule a week/month report for every one of our zones so we’ll know the amount of devices, which are offline and for how long.

SplunkTrust
SplunkTrust
  1. what is the actual field name of "Zones"?
  2. define that in your base search
  3. replace the correct field name and value for "Zones" in the searches below
  4. for more help post a sample of the raw data

eventtype=cylance_index sourcetype=device "Zones"=<zone you want> | stats values(*) as * by "Zones"
eventtype=cylance_index sourcetype=device "Zones"=<zone you want> | stats values(*) as * by "Device Name"

0 Karma

Builder

If you want to get a bit more granular as to which fields are displayed, you can specify it in your search. For example:

eventtype=cylance_index sourcetype=device | stats list("Agent Version"), list("Device Name"), list("OS Version"), list("Policy"), list("Files Analyzed") by Zones

Then, if you want to specify the particular zone you want to look at... add it to the start of the search (ex: test zone):

eventtype=cylance_index sourcetype=device zone=test | stats list("Agent Version"), list("Device Name"), list("OS Version"), list("Policy"), list("Files Analyzed") by Zones

You can also end the strings with a "| rename" to pretty up the column headers if desired. I hope that helps.

Explorer

Hi,

Please refer to the README.md (which is part of the app which you downloaded). At the end of this file is a section about how to report issues or ask questions of support.

Thanks.

0 Karma

Engager

Thanks for the advice. The app is configured and working properly. I would think my question would be more related to splunk search functions. I was hoping a splunk guru would be able to see this and assist. Is that not what this question/answer system is designed for?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!