Reporting

Report of Clients

teeeebro
Loves-to-Learn

Hello,

How can I create a list of All clients reporting into a host, whether matched or unmatched?

This should be a very simple task, but I sure cannot find a solution.

Thanks,

Terry

Labels (2)
0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

another option is enable forwarder monitoring on your MC (or your local instance).

Settings -> Monitoring Console

-> Settings -> Forwarder Monitoring Setup

Then wait some time and look with

Settings -> Monitoring Console

-> Forwarders -> Forwarders: Deployment

r. Ismo

0 Karma

teeeebro
Loves-to-Learn

No errors, but no results either.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @teeeebro,

sorry, my error: I forgot thet you don't have events but csv rows!

Please this this (the same thing without metasearch and rename the hostname field):

if the hostname in csv is called "Hostname" (otherwise rename it!):

index=your_index
| eval Hostname=lower(Hostname)
| stats count BY Hostname
| append [ | inputlookup perimeter.csv | eval Hostname=lower(host), count=0 | fields Hostname count ]
| stats sum(count) AS total BY Hostname
| eval status=if(total=0,"unmatched","matched")
| table Hostname status

The logic is:

  • you have a list of hosts with rows in csv in "count" field,
  • you add the lookup's list of hosts each one with count=0,
  • you sume the count field from inde and lookup.

So:

  • total=0 means that you have only the host in the lookup,
  • total>0 means that you have the host both in index and lookup.

Ciao.

Giuseppe 

 

0 Karma

teeeebro
Loves-to-Learn

It was user error on my part.  I have results now, however, they are ALL unmatched.

teeeebro_0-1611683204395.png

In the CSV I list all 1035 of our servers.  The end result I'm looking for is a list of all systems Splunk sees, whether matched or unmatched.

teeeebro_1-1611683404225.png

We are just getting started with deploying the agent to our 1035 servers, and I need a CSV export so I can reconcile any differences.  If I have a list of all 1035 servers, and a list of what Splunk sees, it takes 30 seconds for Excel to do a column comparison.

Hope that makes sense.  And THANKS for the help!  I am Way further ahead now that I was earlier.

Regards,

Terry

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @teeeebro,

at first check if the matched are at the end of the list.

if you have all unmatched means that you can read from the lookup but not from the index

what happens if you run:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host

?

Ciao.

Giuseppe

 

0 Karma

teeeebro
Loves-to-Learn

Yes - I need a little more guidance, please.

I created the CSV which contains a list of ALL my server hostnames.  The search read the file, but there are no results.

teeeebro_0-1611678974881.png

This was my search

teeeebro_1-1611679037313.png

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @teeeebro,

the lookup is called "perimeter.cav", contains at least a column called "host", you creted it and you created also the related lookup definition for this lookup, is it correct?

then, what do you mean with "no results"?

at least you should have the hosts from lookuop and the hosts from _internal, which resuld have you?

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @teeeebro,

are you speaking of servers monitored by Splunk Universal Forwarders?

If this is you need, you have to create a list (in a lookup called e.g. perimeter.csv) containing all the clients to monitor (at least one column called e.g. host) and then run a search like this:

| metasearch index=_internal
| eval host=lower(host)
| stats count BY host
| append [ | inputlookup perimeter.csv | eval host=lower(host), count=0 | fields host count ]
| stats sum(count) AS total BY host
| eval status=if(total=0,"unmatched","matched")
| table host status

Ciao.

Giuseppe

0 Karma

teeeebro
Loves-to-Learn

Thank you for the reply.

Yes - I need a list of servers monitored by Splunk Universal Forwarders.

I'm very new to using Splunk, but I'll take what you provided and give it a shot.

Thanks again!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @teeeebro,

tell me if you solve or if you need more help.

Ciao and happy splunking.

Giuseppe

P.S.: karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...