Dashboards & Visualizations

Splunk Dashboard UF search to check if they're reporting back to Splunk?

arunsundarm
Engager

I Need to take a CSV file as input with a list of UF hostnames and check if they are reporting to splunk deployment server in a dashbaord

Labels (1)
0 Karma

arunsundarm
Engager

Thank you so much for the response, Is it possible to make the users upload the csv file into a dashbaord instead of a lookup file?

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @arunsundarm,

You could also use the commain inputcsv, that probably works, but I usually use a lookup, and I hint to use the same approach.

Ciao.

Giuseppe

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @arunsundarm,

you could run something like this:

| metasearch index=_internal
| dedup host
| table host
| outputlookup perimeter.csv

in this way you have a list of host that reported in a period (e.g. last month) and the list is saved in a lookup called perimeter.cav.

You can manage this lookup in two ways:

  • schedule the above search e.g. every night to update the lookup,
  • manually update the lookup with new or cancelled hosts.

the first solution is easier but gives you less control: is there's an host that didn't connect in the last month you don't detect the missing one.

The second solution, requires more work, but gives you more control.

To my customers, I hint the second solution!

Then you can run a search like this to check if there's some host missing:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ 
   | inputlookup perimeter.csv
   | eval host=lower(host), count=0
   | fields host count
   ]
| stats sum(count) AS total BY host
| where total=0

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...