Reporting

Generate 80 reports at the first of each month

Path Finder

I use splunk to collect Cisco firewall data. I have 80 firewalls in my network. I would like a report to be generated which has the results of 3 searches (in table format) for each of my firewalls on the first of every month. I don't think a report can do more than one search and I will probably use a view/dashboard instead. Instead of creating 80 reports manually, how can I use a list of devices to run a report against a view which is then emailed to me when it's complete?

Tags (2)
0 Karma
1 Solution

Legend

The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host

The second trick is to use the map command to drive the reports based on the first search:

host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100

Save this search and schedule it to run monthly, emailing you the results.

Repeat for the remaining two searches.

View solution in original post

Legend

The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host

The second trick is to use the map command to drive the reports based on the first search:

host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100

Save this search and schedule it to run monthly, emailing you the results.

Repeat for the remaining two searches.

View solution in original post

Path Finder

This is pretty cool! I didn't know about the map keyword. It didn't work as is, I had to add an extra "search" keyword in there. The final result was this
host=firewall* | dedup host | table host
| map search="search host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100

0 Karma

Path Finder

When creating a report I only see one search box that is available. I don't see how I can make a report with multiple search results. That's a dashboard/view not a report/search.
The three searches I want to conduct are:
host=$device$ | stats count by error_code event_desc | sort -count
host=$device$ | eventtype=firewall-deny | stats count by src_ip dest_ip dest_port | sort 25 -count
host=$device$ error_code="111008" | rex field=_raw "User (?<user>.*) executed the (?<command>.*) command." | table _time user command

0 Karma

Legend

Actually, I think you might be surprised at how much can be combined into a single report.

What are the three searches?

0 Karma