I use splunk to collect Cisco firewall data. I have 80 firewalls in my network. I would like a report to be generated which has the results of 3 searches (in table format) for each of my firewalls on the first of every month. I don't think a report can do more than one search and I will probably use a view/dashboard instead. Instead of creating 80 reports manually, how can I use a list of devices to run a report against a view which is then emailed to me when it's complete?
The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host
The second trick is to use the map
command to drive the reports based on the first search:
host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100
Save this search and schedule it to run monthly, emailing you the results.
Repeat for the remaining two searches.
The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host
The second trick is to use the map
command to drive the reports based on the first search:
host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100
Save this search and schedule it to run monthly, emailing you the results.
Repeat for the remaining two searches.
This is pretty cool! I didn't know about the map
keyword. It didn't work as is, I had to add an extra "search" keyword in there. The final result was this
host=firewall* | dedup host | table host
| map search="search host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100
When creating a report I only see one search box that is available. I don't see how I can make a report with multiple search results. That's a dashboard/view not a report/search.
The three searches I want to conduct are:
host=$device$ | stats count by error_code event_desc | sort -count
host=$device$ | eventtype=firewall-deny | stats count by src_ip dest_ip dest_port | sort 25 -count
host=$device$ error_code="111008" | rex field=_raw "User (?<user>.*) executed the (?<command>.*) command." | table _time user command
Actually, I think you might be surprised at how much can be combined into a single report.
What are the three searches?