Splunk Dashboard UF search to check if they're rep...

arunsundarm · ‎03-10-2023

I Need to take a CSV file as input with a list of UF hostnames and check if they are reporting to splunk deployment server in a dashbaord

arunsundarm · ‎03-10-2023

Thank you so much for the response, Is it possible to make the users upload the csv file into a dashbaord instead of a lookup file?

gcusello · ‎03-10-2023

Hi @arunsundarm,

You could also use the commain inputcsv, that probably works, but I usually use a lookup, and I hint to use the same approach.

Ciao.

Giuseppe

gcusello · ‎03-10-2023

Hi @arunsundarm,

you could run something like this:

| metasearch index=_internal
| dedup host
| table host
| outputlookup perimeter.csv

in this way you have a list of host that reported in a period (e.g. last month) and the list is saved in a lookup called perimeter.cav.

You can manage this lookup in two ways:

schedule the above search e.g. every night to update the lookup,
manually update the lookup with new or cancelled hosts.

the first solution is easier but gives you less control: is there's an host that didn't connect in the last month you don't detect the missing one.

The second solution, requires more work, but gives you more control.

To my customers, I hint the second solution!

Then you can run a search like this to check if there's some host missing:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0
   | fields host count
   ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

Splunk Dashboard UF search to check if they're reporting back to Splunk?

dashboard

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI