Monitoring Splunk

How do I check if Splunk is ingesting logs from a certain host /server or type of logs received?

SamHTexas
Contributor

How do I check if Splunk is ingesting logs from a certain host /server or type of logs received? I need to validate if a certain server / host is sending data to Splunk please? Thank u in advance.

Labels (1)
Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SamHTexas,

let me understand: you want to check if a list of hosts (from a lookup) is sending a kind of log, is it correct?

if this is your need, you have to do two preparatory activities:

  • exactly identify logs to check (e.g. Windows logs with EventCode=4624);
  • prepare a lookup containing the hosts to check (e.g. called "perimeter.csv" and containing a column called "host").

then you have to run a search like this:

index=wineventlog EventCode=4624
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count AS total BY host
| where total=0

In this way you have the list of the hosts from the lookup that didn't send logs og that kind.

Ciao.

Giuseppe

0 Karma

SamHTexas
Contributor

Grazie for your response. Let's say we have a server called server5. I am trying to see if there are any logs being ingested into Splunk enterprise at all. So how do I search for that please? Thank u again.

Tags (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @SamHTexas,

if you have to check if you're receiving some kind of log from a single server still it's easier:

index=* host=server5
  • if there are logs , all OK,
  • if you haven't results, fire an alert.

The rule is:

if you have one host you can use a simple search like the above,

if instead you have more servers, i's better to use a lookup and the search of the previous answer.

Ciao.

Giuseppe

.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!