I am trying to identify "windows hosts" that are logging to my Splunk indexer. Unfortunately, neither the hosts/server names nor anything like IP address subnet, have a pattern that uniquely identify my windows hosts for using a REGEX. I have looked at the metadata function and that does give me list of hosts, but that does not help because I cannot tell which hosts are "windows".
Here is what I have tried so far:
1. I created an eventtype=windows_hosts based on the following search: (sourcetype=windowsupdate OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System") | dedup host | table host
2. This gives me the list I want, but the list is now derived by searching through the events which I am sure will be a lot of overhead depending on the timeframe I use.
Is there a simpler/more efficient way to generate this data?
well, your question to me sounds like you have disparate types of sources being dumped into the same index and now you wish to search the index for just windows systems. can you configure Splunk to dump all of your windows sources into a "windowsonly" index? if you do this then you dont need a custom eventtype, you just search the index directly as it will return data that is just windows related, etc. now your search becomes "index=windowsonly | table host", or, if the user role is pinned to windows_only then all you need is "table host".
Thanks Cvajs. Acutally, I do have all the windows servers going to "windows-only" indexes. However, my question is what is the most efficient way of reporting on those hosts? I can do the search you mentioned but searches through all the events again to extract the host field. The gist of my question was whether I could get Splunk to dynamically maintain a list of windows-hosts at indexing time rather than at search time. But in retrospect that might not make much sense.
Thanks very much.
You can generate a lookup table which contains the hosts which you have seen Windows data for in the past. This search will merge them into a lookup, so you could schedule it to run each day or another appropriate time period.
sourcetype=windowsupdate OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System" | stats count by host | eval isWinHost=1 | fields host isWinHost | inputlookup append=T windows_hosts.csv | outputlookup windows_hosts.csv
You can then use this lookup table to check if a host is a Windows host, or you can get a list of all Windows hosts by using the inputlookup command.
This may be a bit late but you can always look up the summary_forwarders index for your search. I use this subsearch to look for data from only windows hosts:
index=os [ search index="summary_forwarders" os=windows | table sourceHost | dedup sourceHost | rename sourceHost as host ]
Hello yongly. Thanks very much for your response. I should have thought of the deployment monitor. I just installed it and it helped me pinpoint the problem host. Thanks.