Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you get a report of machines that are VMs?

ShaunBaker
Path Finder
‎10-11-2018 05:35 PM

I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎10-12-2018 01:10 AM

I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&Identity framework).

Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?

0 Karma
Reply

ShaunBaker
Path Finder
‎10-16-2018 04:20 PM

I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around.

I do have a UF on the VMs in question.

Hoping to use Splunk to help with generating my CMDB haha.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-17-2018 01:24 AM

Right, ok 🙂

Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).

Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.

0 Karma
Reply

ShaunBaker
Path Finder
‎10-26-2018 10:56 AM

So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...