Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Combining Searches from Multiple Sourcetypes

m314219
Explorer
‎10-05-2020 12:56 PM

Looking for some advice on combining searches from multiple sourcetypes into a single report for my auditing team. They have requested a report showing hostnames and for each host the current AV definitions, the last time the sec log was cleared or archived, and then content from a couple of text files that is produced by some scheduled tasks on the systems. I currently have all of this info in Splunk, but will need to create a single report to show it all. As an example, how could I take the three queries I've put together so far into the same report?

index=windows source="WinEventLog:Security" EventCode="1105" | rename Date as LastSecLogArchive | stats latest(LastSecLogArchive) by host

index=windows sourcetype="Symantec:VirusDefs" | stats latest(CurrDefs) by host

index=windows source="WinEventLog:Security" EventCode="1102" | rename Date as LastSecLogClear | stats latest(LastSecLogClear) by host

Labels (4)
Labels
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎10-07-2020 03:23 AM

I'm not sure what you want to do.

 

index=windows (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102" ) ) OR sourcetype="Symantec:VirusDefs" 
| stats latest(eval(if(EventCode="1105", Date,NULL))) as LastSecLogArchive ,latest(eval(if(EventCode="1102", Date,NULL))) as LastSecLogClear ,latest(CurrDefs) as CurrDefs by host
| join host [search index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64 | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by hostname | convert ctime(LastTime) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table hostname,"UF Status","UF Last Active On" |rename hostname as host]

like this?

View solution in original post

Reply
Solved! Jump to solution

m314219
Explorer
‎10-09-2020 04:11 AM

Thanks! Was able to finish the final search:

(index=windows OR index=_internal) (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102") OR (source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64)) OR sourcetype="Symantec:VirusDefs" OR sourcetype="PowerShell:WinSystemInfo" NOT PS_SN="VMware-*" | eval age = (now() - _time ) | stats latest(PS_OS_Version) as OSVersion latest(PS_W10_Build) as W10Build latest(PS_Manufac) as Manufac latest(PS_Model) as Model latest(PS_SN) as SN latest(PS_AV_Date) as AVDate latest(PS_BitLocker) as BitLocker latest(eval(if(EventCode="1105",Date,NULL))) as LastSecLogArchive latest(eval(if(EventCode="1102",Date,NULL))) as LastSecLogClear max(_time) as LastActive min(age) as age by host | convert ctime(LastActive) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table host,OSVersion,W10Build,AVDate,BitLocker,LastSecLogArchive,LastSecLogClear,"UF Status","UF Last Active On",Manufac,Model,SN

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎10-07-2020 03:23 AM

I'm not sure what you want to do.

 

index=windows (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102" ) ) OR sourcetype="Symantec:VirusDefs" 
| stats latest(eval(if(EventCode="1105", Date,NULL))) as LastSecLogArchive ,latest(eval(if(EventCode="1102", Date,NULL))) as LastSecLogClear ,latest(CurrDefs) as CurrDefs by host
| join host [search index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64 | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by hostname | convert ctime(LastTime) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table hostname,"UF Status","UF Last Active On" |rename hostname as host]

like this?

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎10-05-2020 02:39 PM

index=windows (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102" ) ) OR sourcetype="Symantec:VirusDefs" | stats latest(eval(if(EventCode="1105",  Date,NULL))) as LastSecLogArchive    latest(eval(if(EventCode="1102",  Date,NULL))) as LastSecLogClear  latest(CurrDefs) as CurrDefs by host

 

Reply
Solved! Jump to solution

m314219
Explorer
‎10-05-2020 08:59 PM

Thanks! How would you add in another search like this?

index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64 | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by hostname | convert ctime(LastTime) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table hostname,"UF Status","UF Last Active On"

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...