Splunk Enterprise

Inventory status monitoring

new2spl_unk
Explorer

Dear all, 

 

Current situation is I uploaded a inventory table to Splunk and the table is like below.

Hostname  IP 

------------------

hostname1 6.6.6.6

hostname2 7.7.7.7

And I would like to check the log collection status (eg. Is the device sending log to splunk, what is the last log time) for the device on the list and produce a list like below. 

Hostname  IP  Status Last_log_time

------------------

hostname1 6.6.6.6 Yes 2021-03-03 00:00:00

hostname2 7.7.7.7 No N/A 

I tried to use "|metadata" but seems like the metadata is not accurate and may I have some idea of how to do this task? 

manjunathmeti
Champion

hi @new2spl_unk ,

From splunk documentaion on metadata command,

If you specify a time range other than All Time for your search, the search results might not be precise. The metadata is stored as aggregate numbers for each bucket on the index. A bucket is either included or not included based on the time range you specify.

So you need to select All Time in time range picker to work, also you cannot use earliest in the search query.

| metadata type=hosts index=* | lookup csvfilename.csv host AS Hostname OUTPUT IP

 

If this reply helps you, an upvote/like would be appreciated.

new2spl_unk
Explorer

Thanks for your reply. 

But I did select All Time in time range to check if the device on the inventory list have within the last 30 days, but turn out that some device did have log in the past 30days, but the status shown "No log". 

Can you suggest me how to write a query for checking those device on list have log or not in the past 30 days? 

 

0 Karma

manjunathmeti
Champion

Try this:

| metadata type=hosts index=_* | where lastTime > relative_time(now(), "-30d")
0 Karma

new2spl_unk
Explorer

Thanks for your reply and by using the query I am able to locate the device that have log within the past 30days. But additionally,  I need to compare it with a CSV and then produce a new CSV with status, which means, I need to produce a list like below, by comparing the metadata table and the inventory CSV. 

Hostname   IP  status

----------------------------

deviceA 1.1.1.1 "Receiving log"

deviceB 2.2.2.2 "No log can be found from past 30days" 

 

 

0 Karma

manjunathmeti
Champion

You can try this search:

| metadata type=hosts index=* | lookup csvfilename.csv host AS Hostname OUTPUT IP | eval status=if(lastTime>relative_time(now(), "-30d"), "Receiving log", "No log can be found from past 30days") | table Hostname, IP, status

 

If these replies help you, upvotes/likes would be appreciated.

0 Karma

new2spl_unk
Explorer

Really appreciated with your reply. But this query will miss some device  that exist on the inventory list but never sent log to Splunk, I would like to mark the status on the inventory list rather than the metadata list. 

0 Karma

manjunathmeti
Champion

Try this:

 

| inputlookup csvfilename.csv | eval host=Hostname | append [| metadata type=hosts index=_* ] | stats max(*) as * by host | eval status=if(lastTime>relative_time(now(), "-30d"), "Receiving log", "No log can be found from past 30days") | table host, IP, status

If this reply helps you, an upvote/like would be appreciated.

 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...