Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk Dashboard UF search to check if they're reporting back to Splunk?

arunsundarm
Engager
‎03-10-2023 12:58 AM

I Need to take a CSV file as input with a list of UF hostnames and check if they are reporting to splunk deployment server in a dashbaord

Labels (1)
Labels
0 Karma
Reply

arunsundarm
Engager
‎03-10-2023 05:43 AM

Thank you so much for the response, Is it possible to make the users upload the csv file into a dashbaord instead of a lookup file?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2023 06:41 AM

Hi @arunsundarm,

You could also use the commain inputcsv, that probably works, but I usually use a lookup, and I hint to use the same approach.

Ciao.

Giuseppe

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2023 01:11 AM

Hi @arunsundarm,

you could run something like this:

| metasearch index=_internal
| dedup host
| table host
| outputlookup perimeter.csv

in this way you have a list of host that reported in a period (e.g. last month) and the list is saved in a lookup called perimeter.cav.

You can manage this lookup in two ways:

  • schedule the above search e.g. every night to update the lookup,
  • manually update the lookup with new or cancelled hosts.

the first solution is easier but gives you less control: is there's an host that didn't connect in the last month you don't detect the missing one.

The second solution, requires more work, but gives you more control.

To my customers, I hint the second solution!

Then you can run a search like this to check if there's some host missing:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0
   | fields host count
   ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...