Getting Data In

How to get a list of servers that are reporting into Splunk via universal forwarder, WMI or both where count > 1?

sbattista09
Contributor

i want to get a list of servers that are reporting into splunk via UF or WMI or both, i have this going for me, but i want to add something to it that would show if count count for WMI is >1 then yes , if count for UF is >1 then yes, If count on UF and WMI >1 then both. would this be possible? I'm not sure how to do where count equals in Splunk yet.

sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] |chart count(eval(sourcetype="WinEventLog")) as UF,count(eval(sourcetype="WMI:WinEventLog")) as WMI by host
1 Solution

somesoni2
Revered Legend

Try something like this

sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0) | eval TypeBOTH=if(TypeUF+TypeWMI=2,1,0) | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI, sum(TypeBOTH) as BOTH by host

UPDATED

This should do the trick.

sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0)  | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI by host | eval UF=if(UF>0,"yes","no") | eval WMI=if(WMI>0,"yes","no") | eval BOTH=if(UF="yes" AND WMI="yes","yes","no") 

View solution in original post

somesoni2
Revered Legend

Try something like this

sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0) | eval TypeBOTH=if(TypeUF+TypeWMI=2,1,0) | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI, sum(TypeBOTH) as BOTH by host

UPDATED

This should do the trick.

sourcetype=WinEventLog OR sourcetype=WMI:WinEventLog [|inputlookup wmi.csv | fields WIM | rename WIM as host] | eval TypeUF=if(sourcetype="WinEventLog",1,0) | eval TypeWMI=if(sourcetype="WMI:WinEventLog",1,0)  | stats sum(TypeUF) as UF, sum(TypeWMI) as WMI by host | eval UF=if(UF>0,"yes","no") | eval WMI=if(WMI>0,"yes","no") | eval BOTH=if(UF="yes" AND WMI="yes","yes","no") 

sbattista09
Contributor

thank you! however, for some reason this did not work to well for me. I think it may be because im counting the number of logs for each sourcetype. that's why i think i need to do where count >1 output yes IF 0 output no IF >1 for both then have another Column say Both. would this be possible?

0 Karma

somesoni2
Revered Legend

What is your expected output format (columns) and their corresponding values?

0 Karma

sbattista09
Contributor

host UF WMI

serverA 54332 0
serverB 906 221
server32 332 0
server5 0 3432

I want to change this to-
host UF WMI Both
serverA Yes no
serverB 0 0 Yes
server32 Yes 0
server5 0 Yes

0 Karma

somesoni2
Revered Legend

See the updated answer

sbattista09
Contributor

your the MAN! thanks!

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...