Monitoring Splunk
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Getting list of Firewall and Servers?

sulaimancds
Engager
‎03-01-2023 02:48 AM

I want to get a list of firewalls and servers sending logs to splunk. What query should i use ?

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎03-02-2023 03:04 AM

To be completely blunt - you should contact the person responsible for data onboarding to your splunk infrastructure and/or your network admins.

In case of _some_ sources, if they (the source devices) are properly configured, you _might_ be able to get some info from the data you have in splunk but it's impossible to tell you how as we don't know what you have in you environment, how your events are sent, what types of data you have and so on.

Just to remind you - splunk as such processes data. It's a general solution, not a specific <whatever> monitor. It might work as such but must be properly configured (including - most importantly - proper data onboarding).

So if this step was done properly, you might have this data in your splunk. But if not - you might, for example, have all your sources reporting as "localhost" and being undistinguishable from one another.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-01-2023 03:11 AM

Hi @sulaimancds,

the only problem is to identify a time in which you're sure that a source surely sent logs to Splunk.

Then you can run a simple search like this:

| tstats count WHERE index=* BY host

If you want, you san save the output of this searh in a lookup to implement and alerts for missing data using the outputlookup command.

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎03-01-2023 05:51 PM

i have 2 networks sending logs to me 

abc. xyz.com

cad.xyz.com

 

i want to show the devices from these 2 networks separately.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-01-2023 11:48 PM

Hi @sulaimancds,

as you can read at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats, you can add the span option at the tstats command and add other fields:

assuming that size and network are two fields from your events:

 

| tstats sum(size) AS size WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

 

then you can choose how to display results.

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎03-02-2023 01:32 AM

hi it does not work , nvm

 

i have 2 networks sending logs to me. 

abc. xyz.com

cad.xyz.com

 

i want to show the devices from these 2 networks separately. and their IP address and hostname

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-02-2023 02:00 AM

Hi @sulaimancds,

what you mean with "it does not work , nvm"?

what's the issue?

anyway, results are separated for network and host, if you want also the IP address you can add also this information to the search:

| tstats sum(size) AS size values(ip) AS ip WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎03-02-2023 02:24 AM

there are no results shown

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-02-2023 02:51 AM

Hi @sulaimancds,

sorry I'm, completely wrong! 

it isn't possible to use tststs only with fields extracted at index time, so, please try this, even if it's a verry long search:

index=*
| bin span=1d _time
| stats sum(size) AS size values(ip) AS ip BY host network _time 
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

 Ciao.

Giuseppe

0 Karma
Reply

sulaimancds
Engager
‎03-02-2023 11:17 PM

hi

 

i have a excel sheet with all my hostnames , i would like to do a search on which hostnames are not sending logs over to splunk. not IP address , hostnames. any query which could help me. file name is 123.csv

0 Karma
Reply

Jamilahmajed
New Member
‎06-01-2024 04:13 AM

Hey ,Did you find the solution ?

 

0 Karma
Reply

DanielPi
Moderator
Moderator
‎06-01-2024 05:09 AM

Hi @Jamilahmajed,

I’m a Community Moderator in the Splunk Community.

This question was posted 1 year ago, so it might not get the attention you need for your question to be answered. We recommend that you post a new question so that your issue can get the  visibility it deserves. To increase your chances of getting help from the community, follow these guidelines in the Splunk Answers User Manual when creating your post.

Thank you! 

0 Karma
Reply

sulaimancds
Engager
‎03-01-2023 09:11 AM
  • The log size (daily/monthly/yearly)

Maybe in GB or MB for all logs source 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top