Splunk Search

Devices In Splunk- How can I create syntax, an alert, and create a table?

codeJesus
Engager

Hello, 

please can someone assist with creating syntax to

1. know the numbers of desktop, laptops, servers and network devices that I have onboarded into Splunk cloud?

2. Create alert if a new device is onboarded? 

3. Count the numbers of the different types of devices that have been onboarded 

4. create a table for the above

 

 

thanks  

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

  • desktop and laptops data in the wineventlog index,
  • windows servers data in the winservers index
  • linux servers in the os index
  • network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* 
| stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

 then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ]
| stats count By host

 It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

  • windows servers hostname start with srvwinxxxxx,
  • desktop and laptops hostname  start with dskwinxxxx,
  • linux servers hostname start with srvlnxxxxx,
  • network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

| metasearch index=* 
| dedup host
| sort host
| table host
| eval type=case(like(host,"%srvwin%"),"windows Server",like(host,"%dskwin%"),"windows Desktop",like(host,"%srvlnx%"),"Linux Server",like(host,"%appl%"),"Network Device")
| outputlookup perimeter.csv

Ciao.

Giuseppe

View solution in original post

0 Karma

codeJesus
Engager

Thanks for this. 

does any one know the SPL to check for the windows OS types that have been ingested into Splunk? I have run several SPL queries but it didnt work 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus,

to check the Windows OS ingested you have to install the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742) and enable the input (WinHostMon://OperatingSystem) that sends you the information about the OS.

Then you have only to display these information.

It's obviously a data that doesn't change so frequently, so you can extract it also une time a day or one time a week.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

  • desktop and laptops data in the wineventlog index,
  • windows servers data in the winservers index
  • linux servers in the os index
  • network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* 
| stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

 then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ]
| stats count By host

 It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

  • windows servers hostname start with srvwinxxxxx,
  • desktop and laptops hostname  start with dskwinxxxx,
  • linux servers hostname start with srvlnxxxxx,
  • network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

| metasearch index=* 
| dedup host
| sort host
| table host
| eval type=case(like(host,"%srvwin%"),"windows Server",like(host,"%dskwin%"),"windows Desktop",like(host,"%srvlnx%"),"Linux Server",like(host,"%appl%"),"Network Device")
| outputlookup perimeter.csv

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...