Reporting

How do I create a report that lists all servers and devices reporting to Splunk broken out by country?

jldebell
Path Finder

We need to create a report that lists all devices and servers reporting into Splunk. We want to have the report broken out by country. We don't have an internal cross-reference to identify servers to countries. I was using this search based on other Answer questions.

 index=_internal source="/opt/splunk/var/log/splunk/metrics.log*" sourcetype="splunkd" fwdType="*" | dedup sourceHost|stats count  by hostname, sourceHost, fwdType, guid, os, arch

I tried to plug in the geoip/iplocation searches to see if we could obtain the location of our servers. I wasn't able to get results.

Please advise if you have suggestions.

Thanks!

Jenn

0 Karma

lguinn2
Legend

You would need to make an inventory of all your devices. Store it in a CSV file like this

device,ip,country,latitude,longitude
www1,10.10.2.101,US,33.8090,-117.9190
www2,10.20.2.102,France,48.8687,2.7818

I added the lat/lon just for fun, but you don't need it. Use this CSV file to create a lookup table: Use field lookups...

If you do this, then you could run this search (if you named the lookup "device_lookup"):

index=_internal sourcetype="splunkd" group=tcpin_connections
| dedup sourceHost
| lookup device_lookup device as sourceHost 
| stats count  by hostname, sourceHost, fwdType, guid, os, arch, country

Or

index=_internal sourcetype="splunkd" group=tcpin_connections
| eval sourceHost=coalesce(hostname, sourceHost) 
| lookup device_lookup device as sourceHost 
| stats sum(kb) as total_KB  by sourceHost, fwdType, guid, os, arch

Or even

index=_internal sourcetype="splunkd" group=tcpin_connections
| eval sourceHost=coalesce(hostname, sourceHost) 
| lookup device_lookup device as sourceHost 
| geostats latfield=latitude longfield=longitude sum(kb) as total_KB  by sourceHost
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Are your forwarder have public IP address?? If your forwarders do not have public IP then you can't filter out with GeoIP/IPlocation.

0 Karma

jldebell
Path Finder

Thank you for asking. I didn't think of that. The ip addresses are private, so GeoIP/IPLocation won't work.

0 Karma
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

REGISTER NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more ...

Security Highlights | November 2022 Newsletter

 November 2022 2022 Gartner Magic Quadrant for SIEM: Splunk Named a Leader for the 9th Year in a RowSplunk is ...

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...