Reporting

Unix Hosts are not reporting and count is not proper

srinivasup
Explorer

*Hi
When I use below query, Im not able to get unix os host type: Can you please let me know what could be the reason

index=_internal source="*metrics.log" group=tcpin_connections 
|  eval sourceHost=if(isnull(hostname), sourceHost,hostname) |eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Light Weight Forwarder",fwdType=="full", "Splunk Indexer", connectionType=="cooked" or connectionType=="cookedSSL","Splunk Forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") | eval build=if(isnull(build),"n/a",build)
| eval version=if(isnull(version),"pre 4.2",version)
| eval guid=if(isnull(guid),sourceHost,guid)
| eval os=if(isnull(os),"n/a",os)
| eval arch=if(isnull(arch),"n/a",arch)
| eval my_splunk_server = splunk_server | fields connectionType sourceIp sourceHost sourcePort destPort kb tcp_eps tcp_Kprocessed tcp_KBps my_splunk_server build version os arch
| eval lastReceived = if(kb>0, _time, null)
| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(_time) as lastConnected max(lastReceived) as lastReceived sum(kb) as kb avg(tcp_eps) as avg_eps by sourceHost
| stats first(sourceIp) as sourceIp first(connectionType) as connectionType first(sourcePort) as sourcePort first(build) as build first(version) as version first(os) as os first(arch) as arch max(lastConnected) as lastConnected max(lastReceived) as lastReceived first(kb) as KB first(avg_eps) as eps by sourceHost
| eval status = if(isnull(KB) or lastConnected<(info_max_time-60000),"missing",if(lastConnected>(lastReceived+300) or KB==0,"quiet","active")) |sort sourceHost*
Tags (1)
0 Karma

woodcock
Esteemed Legend

This search works just fine for me but I don't get UNIX either: I get known *NIX variants such as, Linux, HP UX, AIX, and SunOS.

srinivasup
Explorer

Hi,

Did you get Unix, Linux hosts? with the above query.

0 Karma

woodcock
Esteemed Legend

Yes, that is EXACTLY what I said.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...