Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Devices In Splunk- How can I create syntax, an alert, and create a table?

codeJesus
Engager
‎10-10-2022 04:12 AM

Hello, 

please can someone assist with creating syntax to

1. know the numbers of desktop, laptops, servers and network devices that I have onboarded into Splunk cloud?

2. Create alert if a new device is onboarded? 

3. Count the numbers of the different types of devices that have been onboarded 

4. create a table for the above

 

 

thanks  

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2022 05:12 AM

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

  • desktop and laptops data in the wineventlog index,
  • windows servers data in the winservers index
  • linux servers in the os index
  • network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* 
| stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

 then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ]
| stats count By host

 It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

  • windows servers hostname start with srvwinxxxxx,
  • desktop and laptops hostname  start with dskwinxxxx,
  • linux servers hostname start with srvlnxxxxx,
  • network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

| metasearch index=* 
| dedup host
| sort host
| table host
| eval type=case(like(host,"%srvwin%"),"windows Server",like(host,"%dskwin%"),"windows Desktop",like(host,"%srvlnx%"),"Linux Server",like(host,"%appl%"),"Network Device")
| outputlookup perimeter.csv

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

codeJesus
Engager
‎10-21-2022 01:14 AM

Thanks for this. 

does any one know the SPL to check for the windows OS types that have been ingested into Splunk? I have run several SPL queries but it didnt work 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-21-2022 01:22 AM

Hi @codeJesus ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-21-2022 01:21 AM

Hi @codeJesus,

to check the Windows OS ingested you have to install the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742) and enable the input (WinHostMon://OperatingSystem) that sends you the information about the OS.

Then you have only to display these information.

It's obviously a data that doesn't change so frequently, so you can extract it also une time a day or one time a week.

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-10-2022 05:12 AM

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

  • desktop and laptops data in the wineventlog index,
  • windows servers data in the winservers index
  • linux servers in the os index
  • network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* 
| stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

 then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ]
| stats count By host

 It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

  • windows servers hostname start with srvwinxxxxx,
  • desktop and laptops hostname  start with dskwinxxxx,
  • linux servers hostname start with srvlnxxxxx,
  • network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

| metasearch index=* 
| dedup host
| sort host
| table host
| eval type=case(like(host,"%srvwin%"),"windows Server",like(host,"%dskwin%"),"windows Desktop",like(host,"%srvlnx%"),"Linux Server",like(host,"%appl%"),"Network Device")
| outputlookup perimeter.csv

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...