- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Re: How do I create a report that lists all server...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I create a report that lists all servers and devices reporting to Splunk broken out by country?
We need to create a report that lists all devices and servers reporting into Splunk. We want to have the report broken out by country. We don't have an internal cross-reference to identify servers to countries. I was using this search based on other Answer questions.
index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|stats count by hostname, sourceHost, fwdType, guid, os, arch
I tried to plug in the geoip/iplocation searches to see if we could obtain the location of our servers. I wasn't able to get results.
Please advise if you have suggestions.
Thanks!
Jenn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You would need to make an inventory of all your devices. Store it in a CSV file like this
device,ip,country,latitude,longitude
www1,10.10.2.101,US,33.8090,-117.9190
www2,10.20.2.102,France,48.8687,2.7818
I added the lat/lon just for fun, but you don't need it. Use this CSV file to create a lookup table: Use field lookups...
If you do this, then you could run this search (if you named the lookup "device_lookup"):
index=_internal sourcetype="splunkd" group=tcpin_connections
| dedup sourceHost
| lookup device_lookup device as sourceHost
| stats count by hostname, sourceHost, fwdType, guid, os, arch, country
Or
index=_internal sourcetype="splunkd" group=tcpin_connections
| eval sourceHost=coalesce(hostname, sourceHost)
| lookup device_lookup device as sourceHost
| stats sum(kb) as total_KB by sourceHost, fwdType, guid, os, arch
Or even
index=_internal sourcetype="splunkd" group=tcpin_connections
| eval sourceHost=coalesce(hostname, sourceHost)
| lookup device_lookup device as sourceHost
| geostats latfield=latitude longfield=longitude sum(kb) as total_KB by sourceHost
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are your forwarder have public IP address?? If your forwarders do not have public IP then you can't filter out with GeoIP/IPlocation.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for asking. I didn't think of that. The ip addresses are private, so GeoIP/IPLocation won't work.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
