Reporting

Generate 80 reports at the first of each month

yumology
Path Finder

I use splunk to collect Cisco firewall data. I have 80 firewalls in my network. I would like a report to be generated which has the results of 3 searches (in table format) for each of my firewalls on the first of every month. I don't think a report can do more than one search and I will probably use a view/dashboard instead. Instead of creating 80 reports manually, how can I use a list of devices to run a report against a view which is then emailed to me when it's complete?

Tags (2)
0 Karma
1 Solution

lguinn2
Legend

The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host

The second trick is to use the map command to drive the reports based on the first search:

host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100

Save this search and schedule it to run monthly, emailing you the results.

Repeat for the remaining two searches.

View solution in original post

lguinn2
Legend

The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host

The second trick is to use the map command to drive the reports based on the first search:

host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100

Save this search and schedule it to run monthly, emailing you the results.

Repeat for the remaining two searches.

yumology
Path Finder

This is pretty cool! I didn't know about the map keyword. It didn't work as is, I had to add an extra "search" keyword in there. The final result was this
host=firewall* | dedup host | table host
| map search="search host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100

0 Karma

yumology
Path Finder

When creating a report I only see one search box that is available. I don't see how I can make a report with multiple search results. That's a dashboard/view not a report/search.
The three searches I want to conduct are:
host=$device$ | stats count by error_code event_desc | sort -count
host=$device$ | eventtype=firewall-deny | stats count by src_ip dest_ip dest_port | sort 25 -count
host=$device$ error_code="111008" | rex field=_raw "User (?<user>.*) executed the (?<command>.*) command." | table _time user command

0 Karma

lguinn2
Legend

Actually, I think you might be surprised at how much can be combined into a single report.

What are the three searches?

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...