All Apps and Add-ons

Splunk McAfee Logging: How to search what devices have not been reporting after 60 minutes?

New Member

I am trying to pull information from the ePO server into Splunk to detect agents that are not reporting in. On the device itself, it does report a communication failure, but that is generally when there is no connection. On the ePO server, the best way to determine what we are looking for is to look at the last login time which checks each agent every 60 minutes. How can I search in Splunk to show devices that aren't reporting after 60 minutes? Any information is greatly appreciated. Thank you.

0 Karma

Path Finder

You could use a metadata search and a lookup table to show you which devices aren't reporting in. I use this search for finding domain controllers that have not reported in events recently:

| inputlookup append=t domain_controller_list 
| fields nt_host 
| eval nt_host=upper(nt_host)
| where NOT [| metadata index=windows_eventlog type=hosts earliest=-60m@m latest=now
             | where lastTime > relative_time(now(), "-60m@m") 
             | rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host
             | eval nt_host=upper(nt_host)]
| sort nt_host

The inputlookup domain_controller_list is just a list of my domain controllers that I expect to be logging to my windows_eventlog index. Change the |metadata search earliest and relative_time parameters to your needs.

0 Karma

New Member

I will try this out. Thank you so much and I will let you know if I got it to work.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...