I want to get a list of firewalls and servers sending logs to splunk. What query should i use ?
To be completely blunt - you should contact the person responsible for data onboarding to your splunk infrastructure and/or your network admins.
In case of _some_ sources, if they (the source devices) are properly configured, you _might_ be able to get some info from the data you have in splunk but it's impossible to tell you how as we don't know what you have in you environment, how your events are sent, what types of data you have and so on.
Just to remind you - splunk as such processes data. It's a general solution, not a specific <whatever> monitor. It might work as such but must be properly configured (including - most importantly - proper data onboarding).
So if this step was done properly, you might have this data in your splunk. But if not - you might, for example, have all your sources reporting as "localhost" and being undistinguishable from one another.
Hi @sulaimancds,
the only problem is to identify a time in which you're sure that a source surely sent logs to Splunk.
Then you can run a simple search like this:
| tstats count WHERE index=* BY host
If you want, you san save the output of this searh in a lookup to implement and alerts for missing data using the outputlookup command.
Ciao.
Giuseppe
i have 2 networks sending logs to me
abc. xyz.com
cad.xyz.com
i want to show the devices from these 2 networks separately.
Hi @sulaimancds,
as you can read at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats, you can add the span option at the tstats command and add other fields:
assuming that size and network are two fields from your events:
| tstats sum(size) AS size WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year
then you can choose how to display results.
Ciao.
Giuseppe
hi it does not work , nvm
i have 2 networks sending logs to me.
abc. xyz.com
cad.xyz.com
i want to show the devices from these 2 networks separately. and their IP address and hostname
Hi @sulaimancds,
what you mean with "it does not work , nvm"?
what's the issue?
anyway, results are separated for network and host, if you want also the IP address you can add also this information to the search:
| tstats sum(size) AS size values(ip) AS ip WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year
Ciao.
Giuseppe
there are no results shown
Hi @sulaimancds,
sorry I'm, completely wrong!
it isn't possible to use tststs only with fields extracted at index time, so, please try this, even if it's a verry long search:
index=*
| bin span=1d _time
| stats sum(size) AS size values(ip) AS ip BY host network _time
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year
Ciao.
Giuseppe
hi
i have a excel sheet with all my hostnames , i would like to do a search on which hostnames are not sending logs over to splunk. not IP address , hostnames. any query which could help me. file name is 123.csv
Maybe in GB or MB for all logs source