How do I check if Splunk is ingesting logs from a ...

SamHTexas · ‎04-21-2021

How do I check if Splunk is ingesting logs from a certain host /server or type of logs received? I need to validate if a certain server / host is sending data to Splunk please? Thank u in advance.

gcusello · ‎04-21-2021

Hi @SamHTexas,

let me understand: you want to check if a list of hosts (from a lookup) is sending a kind of log, is it correct?

if this is your need, you have to do two preparatory activities:

exactly identify logs to check (e.g. Windows logs with EventCode=4624);
prepare a lookup containing the hosts to check (e.g. called "perimeter.csv" and containing a column called "host").

then you have to run a search like this:

index=wineventlog EventCode=4624
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count AS total BY host
| where total=0

In this way you have the list of the hosts from the lookup that didn't send logs og that kind.

Ciao.

Giuseppe

SamHTexas · ‎04-22-2021

Grazie for your response. Let's say we have a server called server5. I am trying to see if there are any logs being ingested into Splunk enterprise at all. So how do I search for that please? Thank u again.

gcusello · ‎04-22-2021

Hi @SamHTexas,

if you have to check if you're receiving some kind of log from a single server still it's easier:

index=* host=server5

if there are logs , all OK,
if you haven't results, fire an alert.

The rule is:

if you have one host you can use a simple search like the above,

if instead you have more servers, i's better to use a lookup and the search of the previous answer.

Ciao.

Giuseppe

How do I check if Splunk is ingesting logs from a certain host /server or type of logs received?

monitoring console

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!