Getting list of Firewall and Servers?

sulaimancds · ‎03-01-2023

I want to get a list of firewalls and servers sending logs to splunk. What query should i use ?

PickleRick · ‎03-02-2023

To be completely blunt - you should contact the person responsible for data onboarding to your splunk infrastructure and/or your network admins.

In case of _some_ sources, if they (the source devices) are properly configured, you _might_ be able to get some info from the data you have in splunk but it's impossible to tell you how as we don't know what you have in you environment, how your events are sent, what types of data you have and so on.

Just to remind you - splunk as such processes data. It's a general solution, not a specific <whatever> monitor. It might work as such but must be properly configured (including - most importantly - proper data onboarding).

So if this step was done properly, you might have this data in your splunk. But if not - you might, for example, have all your sources reporting as "localhost" and being undistinguishable from one another.

gcusello · ‎03-01-2023

Hi @sulaimancds,

the only problem is to identify a time in which you're sure that a source surely sent logs to Splunk.

Then you can run a simple search like this:

| tstats count WHERE index=* BY host

If you want, you san save the output of this searh in a lookup to implement and alerts for missing data using the outputlookup command.

Ciao.

Giuseppe

sulaimancds · ‎03-01-2023

i have 2 networks sending logs to me

abc. xyz.com

cad.xyz.com

i want to show the devices from these 2 networks separately.

gcusello · ‎03-01-2023

Hi @sulaimancds,

as you can read at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats, you can add the span option at the tstats command and add other fields:

assuming that size and network are two fields from your events:

| tstats sum(size) AS size WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

then you can choose how to display results.

Ciao.

Giuseppe

sulaimancds · ‎03-02-2023

hi it does not work , nvm

i have 2 networks sending logs to me.

abc. xyz.com

cad.xyz.com

i want to show the devices from these 2 networks separately. and their IP address and hostname

gcusello · ‎03-02-2023

Hi @sulaimancds,

what you mean with "it does not work , nvm"?

what's the issue?

anyway, results are separated for network and host, if you want also the IP address you can add also this information to the search:

| tstats sum(size) AS size values(ip) AS ip WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

Ciao.

Giuseppe

sulaimancds · ‎03-02-2023

there are no results shown

gcusello · ‎03-02-2023

Hi @sulaimancds,

sorry I'm, completely wrong!

it isn't possible to use tststs only with fields extracted at index time, so, please try this, even if it's a verry long search:

index=*
| bin span=1d _time
| stats sum(size) AS size values(ip) AS ip BY host network _time 
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

Ciao.

Giuseppe

sulaimancds · ‎03-02-2023

hi

i have a excel sheet with all my hostnames , i would like to do a search on which hostnames are not sending logs over to splunk. not IP address , hostnames. any query which could help me. file name is 123.csv

sulaimancds · ‎03-01-2023

The log size (daily/monthly/yearly)

Maybe in GB or MB for all logs source

Getting list of Firewall and Servers?

alert action

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...