Monitoring Splunk

Getting list of Firewall and Servers?

sulaimancds
Engager

I want to get a list of firewalls and servers sending logs to splunk. What query should i use ?

Labels (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

To be completely blunt - you should contact the person responsible for data onboarding to your splunk infrastructure and/or your network admins.

In case of _some_ sources, if they (the source devices) are properly configured, you _might_ be able to get some info from the data you have in splunk but it's impossible to tell you how as we don't know what you have in you environment, how your events are sent, what types of data you have and so on.

Just to remind you - splunk as such processes data. It's a general solution, not a specific <whatever> monitor. It might work as such but must be properly configured (including - most importantly - proper data onboarding).

So if this step was done properly, you might have this data in your splunk. But if not - you might, for example, have all your sources reporting as "localhost" and being undistinguishable from one another.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

the only problem is to identify a time in which you're sure that a source surely sent logs to Splunk.

Then you can run a simple search like this:

| tstats count WHERE index=* BY host

If you want, you san save the output of this searh in a lookup to implement and alerts for missing data using the outputlookup command.

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

i have 2 networks sending logs to me 

abc. xyz.com

cad.xyz.com

 

i want to show the devices from these 2 networks separately.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

as you can read at https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tstats, you can add the span option at the tstats command and add other fields:

assuming that size and network are two fields from your events:

 

| tstats sum(size) AS size WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

 

then you can choose how to display results.

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

hi it does not work , nvm

 

i have 2 networks sending logs to me. 

abc. xyz.com

cad.xyz.com

 

i want to show the devices from these 2 networks separately. and their IP address and hostname

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

what you mean with "it does not work , nvm"?

what's the issue?

anyway, results are separated for network and host, if you want also the IP address you can add also this information to the search:

| tstats sum(size) AS size values(ip) AS ip WHERE index=* BY host network _time span=1d
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

there are no results shown

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sulaimancds,

sorry I'm, completely wrong! 

it isn't possible to use tststs only with fields extracted at index time, so, please try this, even if it's a verry long search:

index=*
| bin span=1d _time
| stats sum(size) AS size values(ip) AS ip BY host network _time 
| eval month=strftime(_time,"%m"), year=strftime(_time,"%Y")
| eventstats sum(size) AS monthly BY month
| eventstats sum(size) AS yearly BY year

 Ciao.

Giuseppe

0 Karma

sulaimancds
Engager

hi

 

i have a excel sheet with all my hostnames , i would like to do a search on which hostnames are not sending logs over to splunk. not IP address , hostnames. any query which could help me. file name is 123.csv

0 Karma

sulaimancds
Engager
  • The log size (daily/monthly/yearly)

Maybe in GB or MB for all logs source 

 

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...