Add priority to systems and setup alerts for criti...

spj2 · ‎11-06-2013

Hi,

I am trying to find automatic way of adding asset priority (Critical, High etc.) based on IP address and/or hostname in the Splunk Enterprise app so that I can setup alerts and prioritize investigations on these. I know that Splunk PCI Compliance app does that but we don't have it. I have searched the forum too, but haven't found anything.

Does anyone know of a way to achieve this?

Thanks in advance.

SPJ

spj2 · ‎11-07-2013

Thanks it works with a slight modification:

yoursearchhere
| lookup assetLookup assetId as src_ip OUTPUT priority
| stats count by priority

yoursearchhere
| lookup assetLookup assetId as host OUTPUT priority
| where priority="High" OR priority="Critical"

lguinn2 · ‎11-06-2013

I suggest using a lookup table. Your CSV file might look like this

AssetList.csv

assetId,priority
192.168.15.22,Medium
fileserver01,Low

Here is the Splunk tutorial Use field lookups In my examples below, I assume that you have uploaded the AssetList.csv file and created a lookup called assetLookup.

Ultimately, you should be able to do something like this:

yoursearchhere
| lookup assetLookup src_ip as assetId OUTPUT priority
| stats count by priority

yoursearchhere
| lookup assetLookup host as assetId OUTPUT priority
| where priority="High" OR priority="Critical"

Add priority to systems and setup alerts for critical systems

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation