Splunk Search

Deployment Server 別にサーチ結果を分ける方法

kuriya1268
Engager

splunk>enterprise を使用しています。

ログ収集対象者の所属部署別で

Deployment Server(サーバークラス)を作成し

該当するサーバクラスへクライアント追加しています。


サーチ欄で検索すると、全てのクライアントのログが検索せれてしますのですが

これを特定のDeployment Server(サーバークラス)に所属するクライアントのログのみ

検索したいのですが、そういった条件付けは可能でしょうか?

よろしくお願いいたします。

Labels (1)
Tags (1)
0 Karma

millarma
Path Finder

日本語に翻訳する練習を楽しんでいます。少し後で戻ってしてみます。

If I am understanding you correctly, you want to list all clients for a given server class in a spunk search.  I found a search online and tested it on my deployment server.

| rest /services/deployment/server/clients count=0 splunk_server=local | stats values(serverClasses.*.stateOnClient) as * by hostname
| untable hostname ServerClassNames dummy
|search ServerClassNames="*Airwatch*"
| stats values(hostname) as host | format

It is a little tricky, I will try to explain each step. 

The first thing to know is this command can only be run on the deployment server.  It will not work if you run it on the search head. So on your deployment server, go to search app and paste it there.

Line #1 | rest /services/deployment/server/clients count=0 splunk_server=local | stats values(serverClasses.*.stateOnClient) as * by hostname
This line uses the REST command to list all deployment clients and lots of information about each. The stats command filters that information to just the fields that display server class.
pre_untable.jpg

Line#2 - | untable hostname ServerClassNames dummy

the untable command takes the column names and turns them into field names
post_untable.jpg

Line#3 - | search ServerClassNames="Airwatch*"

In my environment, I have a server class called "Airwatch" , this line filters down to just members of that server class.  You would type your own server class name there.

Line#4 - | stats values(hostname) as host | format

Because we are on the deployment server, we cannot search the indexers.  So this line creates a list of key value pairs, host=<hostname>, one for each.  this we will copy and paste into the search bar of the search head.
formatHost.jpg
For the next step we will log into our search head.  In my example I searched windows event logs: 

I type my base search, index=wineventlog and paste my formatted list of hosts:
justThesehosts.jpg


I know this is complicated but I do not believe there is an easier way.  I hope this helps.

kuriya1268
Engager

(English ※Sorry if my English is inaccurate.)
Great, clear answers, thank you!

I'm a beginner, but you explain things in a way that's easy to understand.
I understood it very well.

But what I want to do is much simpler.

I will state specifically.

I collect logs from multiple windows PC's.

The following query is then used to check CPU utilization.


index=performance source="Perfmon:CPU Load" counter="% Processor Time"
| bin span=1m _time
| stats avg(Value) AS cpu_usage by _time,host
| where cpu_usage > 85
| sort 0 -_time


However, all PCs are searched for in this query.

I only want to search for PCs belonging to a particular deployment server.

What is the best way to do this?

I would like to see search criteria added to this query.
(For example、 | where ServerClassNames="*Airwatch*" ?? ←This doesn't work.……)

 

(日本語)
迅速で丁寧な返信ありがとう!

私は初心者ですが、分かりやすく説明してくれているので、
とても理解できました。

しかし、私のやりたいことはもっと単純です。

具体的に述べます。

私は複数のwindowsPCのログを収集しています。

そして、以下のクエリでCPU使用率をチェックしています。

index=performance source="Perfmon:CPU Load" counter="% Processor Time"
| bin span=1m _time
| stats avg(Value) AS cpu_usage by _time,host
| where cpu_usage > 85
| sort 0 -_time

しかし、このクエリではすべてのPCが検索対象になります。

私は特定のデプロイメントサーバに属しているPCだけを検索対象としたいです。

何か良い方法はありますでしょうか?

このクエリに検索条件を加えてほしいです。

(For example.、 | where ServerClassNames="*Airwatch*" ?? ←This doesn't work.……)

Tags (1)
0 Karma

millarma
Path Finder

I think I understand, you are wondering if there is an easier way.  You may also want a long term solution, one that automatically updates itself, not a one time solution. 

Unfortunately, to the best of my knowledge, there is not a field in Splunk by default that displays a hosts server class membership. 

The good news is we can create the field we need.  We can create the field called server_class.  And we can populate that field with the correct values.


We can create such a field, either with a lookup table or tagging, or an index time field extraction. 
   

For me, I would build on the method I suggested above, create a scheduled search on the deployment server that lists the members of each server class.  I would configure this report to write the results to an index. 


I would then schedule a search on the search head to turn this data into a lookup table.  the result would be a self-updating lookup table that lists all hosts and which server classes they are a member of.

Step 1 - scheduled report on deployment server

I would use this search:
| rest /services/deployment/server/clients count=0 splunk_server=local | stats values(serverClasses.*.stateOnClient) as * by hostname
| untable hostname server_class dummy
|fields - dummy
|collect index=test sourcetype=serverclass

this search will list ALL clients and server classes, then it will remove the field name dummy as it is not needed.  it then writes that data to an index, in this case the 'test' index. 

It also applies a sourcetype=serverclass.  Also please note that I used the untable command to create a field called 'server_class'.   I will then schedule this to run every day, so it will be self-updating.  

Step 2 - Schedule a search that creates a lookup table on the search head.

Now that I have run the above search at least once, there will be new event data in my 'test' index with a sourcetype of serverclass.   I can now run a search that will create a table of all hosts and the server classes they are a part of.  

index=test sourcetype=serverclass
|stats count by server_class hostname
|field - count
|outputlookup serverClassLookup.csv

this search will create a table of all hosts and server classes and then create a lookup file with those contents.  I will schedule this search same as the other one, so that it will update itself regularly.


Step 3 - set up lookup definition and automatic lookup
I will omit a detailed description of these steps in the interest of time, if you want more details on how to do so, I am happy to elaborate.  For now, let assume you did so.  You are now able to do a basic Splunk search such as index=wineventlog server_class=Airwatch.

Now there are other ways to solve this same problem and MANY MANY details and decisions I have skipped over in order to keep things simple.  And there are plusses and minuses for the various options.  This is the best option in my opinion but it depends on your circumstances.


(日本語)
-------------------

I think I understand, you are wondering if there is an easier way.  You may also want a long term solution, one that automatically updates itself, not a one time solution. 
わたしは適当に理解していると思います、もっと簡単な方法があるかどうか疑問に思っているんでしょう。

Unfortunately, to the best of my knowledge, there is not a field in Splunk by default that displays a hosts server class membership. 
残念ながら、私の知る限り、Splunkにはデフォルトでserver classを表示するフィールドはありません。

The good news is we can create the field we need.  We can create the field called server_class.  And we can populate that field with the correct values.
と言っても、必要な server_class というフィールドを作成することができます。 それに、そのフィールドに正しい値を設定できます。

We can create such a field, either with a lookup table or tagging, or an index time field extraction. 
このようなフィールドを作成するように、それぞれの方法はあります。ルックアップテーブルまたはタグ付け、またはインデックス時間フィールドの抽出を使用して作成できます。   

For me, I would build on the method I suggested above, create a scheduled search on the deployment server that lists the members of each server class.  I would configure this report to write the results to an index. 
私にとっては、上記で提案した方法に基づいて、各サーバー クラスのメンバーを一覧表示するスケジュールされた検索を配置サーバーに作成します。そして、「| collect コマンド」をして、Splunkのインデックスに書き込むようにこのレポートを構成します。


I would then schedule a search on the search head to turn this data into a lookup table.  the result would be a self-updating lookup table that lists all hosts and which server classes they are a member of.

次に、Search Headで検索をスケジュールして、このデータをルックアップテーブルに変換します。そうすると、ルックアップテーブが自動的に更新されます。

Step 1 - scheduled report on deployment server

I would use this search:
| rest /services/deployment/server/clients count=0 splunk_server=local | stats values(serverClasses.*.stateOnClient) as * by hostname
| untable hostname server_class dummy
|fields - dummy
|collect index=test sourcetype=serverclass

this search will list ALL clients and server classes, then it will remove the field name dummy as it is not needed.  it then writes that data to an index, in this case the 'test' index. 
この検索では、すべてのクライアントとサーバークラスが一覧表示され、不必要なdummyというフィールドも削除されます。

It also applies a sourcetype=serverclass.  Also please note that I used the untable command to create a field called 'server_class'.   I will then schedule this to run every day, so it will be self-updating.  

また、sourcetype=serverclassも適用されます。untableコマンドを使用して「server_class」というフィールドの名前を作成したことに注意してください。その後、これを毎日実行するようにスケジュールするので、自己更新になります。

Step 2 - Schedule a search that creates a lookup table on the search head.

Now that I have run the above search at least once, there will be new event data in my 'test' index with a sourcetype of serverclass.   I can now run a search that will create a table of all hosts and the server classes they are a part of.  
上記の検索を少なくとも一度実行したので、 'index=test'には、sourcetype=serverclass付けの新しいイベントデータがあるはずです。これで、ルックアップテーブル生成検索を実行できます。

時間がなくなってきたので、ここで日本語はやめます。おそらくそれを本当に必要としなかったでしょうが、私にはいい勉強になってけっこう楽しかったです。

index=test sourcetype=serverclass
|stats count by server_class hostname
|field - count
|outputlookup serverClassLookup.csv

this search will create a table of all hosts and server classes and then create a lookup file with those contents.  I will schedule this search same as the other one, so that it will update itself regularly.


Step 3 - set up lookup definition and automatic lookup
I will omit a detailed description of these steps in the interest of time, if you want more details on how to do so, I am happy to elaborate.  For now, let assume you did so.  You are now able to do a basic Splunk search such as index=wineventlog server_class=Airwatch.

Now there are other ways to solve this same problem and MANY MANY details and decisions I have skipped over in order to keep things simple.  And there are plusses and minuses for the various options.  This is the best option in my opinion but it depends on your circumstances.

 

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...