Monitoring Splunk
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I check if Splunk is ingesting logs from a certain host /server or type of logs received?

SamHTexas
Builder
‎04-21-2021 01:41 PM

How do I check if Splunk is ingesting logs from a certain host /server or type of logs received? I need to validate if a certain server / host is sending data to Splunk please? Thank u in advance.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-21-2021 11:18 PM

Hi @SamHTexas,

let me understand: you want to check if a list of hosts (from a lookup) is sending a kind of log, is it correct?

if this is your need, you have to do two preparatory activities:

  • exactly identify logs to check (e.g. Windows logs with EventCode=4624);
  • prepare a lookup containing the hosts to check (e.g. called "perimeter.csv" and containing a column called "host").

then you have to run a search like this:

index=wineventlog EventCode=4624
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count AS total BY host
| where total=0

In this way you have the list of the hosts from the lookup that didn't send logs og that kind.

Ciao.

Giuseppe

0 Karma
Reply

SamHTexas
Builder
‎04-22-2021 09:16 AM

Grazie for your response. Let's say we have a server called server5. I am trying to see if there are any logs being ingested into Splunk enterprise at all. So how do I search for that please? Thank u again.

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎04-22-2021 11:15 PM

Hi @SamHTexas,

if you have to check if you're receiving some kind of log from a single server still it's easier:

index=* host=server5
  • if there are logs , all OK,
  • if you haven't results, fire an alert.

The rule is:

if you have one host you can use a simple search like the above,

if instead you have more servers, i's better to use a lookup and the search of the previous answer.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...