Installation

Search to find hosts sending syslog AND splunkd traffic

oreoshake
Communicator

Any idea how to create a search that finds hosts that are sending BOTH syslog and splunkd traffic? We'd like to turn off syslog for these hosts.

Tags (1)
1 Solution

rayfoo
Path Finder

what about this?

[search sourcetype=splunkd | dedup host | fields + host] sourcetype=syslog

subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes.

View solution in original post

rayfoo
Path Finder

what about this?

[search sourcetype=splunkd | dedup host | fields + host] sourcetype=syslog

subqueries hosts that are generating splunkd events, then use these hostnames to search for syslog sourcetypes.

jrodman
Splunk Employee
Splunk Employee

What always springs to my mind for this kind of goal is:

  1. run a search that gives the list of hosts sending syslog
  2. run a search that gives the list of hosts sendind splunkd
  3. compare the two lists

3 is a bit clumsy. You can do it with the set command, but it is the clumsy part.

The Search & Indexing team is much more fond of a declarative sql-like style, and may have a more clever variation.

There's always the simplistic approach:

For the last 24 hours:

sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype

Then review the data manually

If you wanted to get very fancy you could filter with something like:

sourcetype=splunkd OR sourcetype=syslog | dedup host, sourcetype | transaction host | search linecount=2

0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...