Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you get a report of machines that are VMs?

ShaunBaker
Path Finder
‎10-11-2018 05:35 PM

I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎10-12-2018 01:10 AM

I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&Identity framework).

Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?

0 Karma
Reply

ShaunBaker
Path Finder
‎10-16-2018 04:20 PM

I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around.

I do have a UF on the VMs in question.

Hoping to use Splunk to help with generating my CMDB haha.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-17-2018 01:24 AM

Right, ok 🙂

Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).

Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.

0 Karma
Reply

ShaunBaker
Path Finder
‎10-26-2018 10:56 AM

So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...