*Hi
When I use below query, Im not able to get unix os host type: Can you please let me know what could be the reason
index=_internal source="*metrics.log" group=tcpin_connections
| eval sourceHost=if(isnull(hostname), sourceHost,hostname) |eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Light Weight Forwarder",fwdType=="full", "Splunk Indexer", connectionType=="cooked" or connectionType=="cookedSSL","Splunk Forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") | eval build=if(isnull(build),"n/a",build)
| eval version=if(isnull(version),"pre 4.2",version)
| eval guid=if(isnull(guid),sourceHost,guid)
| eval os=if(isnull(os),"n/a",os)
| eval arch=if(isnull(arch),"n/a",arch)
| eval my_splunk_server = splunk_server | fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps my_splunk_server build version os arch
| eval lastReceived = if(kb>0, _time, null)
| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps by sourceHost
| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived first(kb) as KB first(avg_eps) as eps by sourceHost
| eval status = if(isnull(KB) or lastConnected<(info_max_time-60000),"missing",if(lastConnected>(lastReceived+300) or KB==0,"quiet","active")) |sort sourceHost*
This search works just fine for me but I don't get UNIX
either: I get known *NIX
variants such as, Linux
, HP UX
, AIX
, and SunOS
.
Hi,
Did you get Unix, Linux hosts? with the above query.
Yes, that is EXACTLY what I said.