Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Combining Searches from Multiple Sourcetypes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking for some advice on combining searches from multiple sourcetypes into a single report for my auditing team. They have requested a report showing hostnames and for each host the current AV definitions, the last time the sec log was cleared or archived, and then content from a couple of text files that is produced by some scheduled tasks on the systems. I currently have all of this info in Splunk, but will need to create a single report to show it all. As an example, how could I take the three queries I've put together so far into the same report?
index=windows source="WinEventLog:Security" EventCode="1105" | rename Date as LastSecLogArchive | stats latest(LastSecLogArchive) by host
index=windows sourcetype="Symantec:VirusDefs" | stats latest(CurrDefs) by host
index=windows source="WinEventLog:Security" EventCode="1102" | rename Date as LastSecLogClear | stats latest(LastSecLogClear) by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you want to do.
index=windows (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102" ) ) OR sourcetype="Symantec:VirusDefs"
| stats latest(eval(if(EventCode="1105", Date,NULL))) as LastSecLogArchive ,latest(eval(if(EventCode="1102", Date,NULL))) as LastSecLogClear ,latest(CurrDefs) as CurrDefs by host
| join host [search index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64 | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by hostname | convert ctime(LastTime) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table hostname,"UF Status","UF Last Active On" |rename hostname as host]like this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! Was able to finish the final search:
(index=windows OR index=_internal) (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102") OR (source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64)) OR sourcetype="Symantec:VirusDefs" OR sourcetype="PowerShell:WinSystemInfo" NOT PS_SN="VMware-*" | eval age = (now() - _time ) | stats latest(PS_OS_Version) as OSVersion latest(PS_W10_Build) as W10Build latest(PS_Manufac) as Manufac latest(PS_Model) as Model latest(PS_SN) as SN latest(PS_AV_Date) as AVDate latest(PS_BitLocker) as BitLocker latest(eval(if(EventCode="1105",Date,NULL))) as LastSecLogArchive latest(eval(if(EventCode="1102",Date,NULL))) as LastSecLogClear max(_time) as LastActive min(age) as age by host | convert ctime(LastActive) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table host,OSVersion,W10Build,AVDate,BitLocker,LastSecLogArchive,LastSecLogClear,"UF Status","UF Last Active On",Manufac,Model,SN
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what you want to do.
index=windows (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102" ) ) OR sourcetype="Symantec:VirusDefs"
| stats latest(eval(if(EventCode="1105", Date,NULL))) as LastSecLogArchive ,latest(eval(if(EventCode="1102", Date,NULL))) as LastSecLogClear ,latest(CurrDefs) as CurrDefs by host
| join host [search index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64 | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by hostname | convert ctime(LastTime) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table hostname,"UF Status","UF Last Active On" |rename hostname as host]like this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=windows (source="WinEventLog:Security" (EventCode="1105" OR EventCode="1102" ) ) OR sourcetype="Symantec:VirusDefs" | stats latest(eval(if(EventCode="1105", Date,NULL))) as LastSecLogArchive latest(eval(if(EventCode="1102", Date,NULL))) as LastSecLogClear latest(CurrDefs) as CurrDefs by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! How would you add in another search like this?
index=_internal source=*metrics.log group=tcpin_connections earliest=-2d@d arch=x64 | eval age = (now() - _time ) | stats min(age) as age, max(_time) as LastTime by hostname | convert ctime(LastTime) as "UF Last Active On" | eval Status=case(age < 1800,"Running",age > 1800,"DOWN") | rename Status as "UF Status" | table hostname,"UF Status","UF Last Active On"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
