All Apps and Add-ons

Splunk McAfee Logging: How to search what devices have not been reporting after 60 minutes?

New Member

I am trying to pull information from the ePO server into Splunk to detect agents that are not reporting in. On the device itself, it does report a communication failure, but that is generally when there is no connection. On the ePO server, the best way to determine what we are looking for is to look at the last login time which checks each agent every 60 minutes. How can I search in Splunk to show devices that aren't reporting after 60 minutes? Any information is greatly appreciated. Thank you.

0 Karma

Path Finder

You could use a metadata search and a lookup table to show you which devices aren't reporting in. I use this search for finding domain controllers that have not reported in events recently:

| inputlookup append=t domain_controller_list 
| fields nt_host 
| eval nt_host=upper(nt_host)
| where NOT [| metadata index=windows_eventlog type=hosts earliest=-60m@m latest=now
             | where lastTime > relative_time(now(), "-60m@m") 
             | rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host
             | eval nt_host=upper(nt_host)]
| sort nt_host

The inputlookup domaincontrollerlist is just a list of my domain controllers that I expect to be logging to my windowseventlog index. Change the |metadata search earliest and relativetime parameters to your needs.

0 Karma

New Member

I will try this out. Thank you so much and I will let you know if I got it to work.

0 Karma