Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtering by OS

johnfrias
New Member
‎07-14-2020 02:10 PM

I have the outcome of my search results but I want to filter by only OS.  I was able to get all the results but need to filter it down to Windows Server OS's.  What am I missing?

Current search:  index="myindex" "eventcode=NUMBER"

Tags (1)
0 Karma
Reply

danielansell
Path Finder
‎07-15-2020 07:25 AM

Splunk can only help if you have the data available to filter. As someone else mentioned, winhostmon data will get OS data into Splunk. I use the Splunk Windows TA to get this data into Splunk. Then when I want to search on a specific class, I use a subsearch

 

index=main EventCode=4624 Logon_Type=2 
[index=windows OS="Microsoft Windows 10*"  |  fields host]

 

That subsearch looks for all systems with a Windows 10 variant (enterprise, pro, etc) and effectively adds the hostnames as an 'OR' to your base search - basically it becomes

 

index=main EventCode=4624 Logon_Type=2 host1 OR host2 OR host3 OR host4

 

 

If you don't have OS data in Splunk, but need the data now, you may be able to get creative and use the host name if you have a good naming convention in place - that is, if you know all workstations are running Win 10 Pro, and all workstation names start with WKS, you could simply use something like this:

 

index=main host=wks* EventCode=4624 Logon_Type=2

 

 That last example would just be a bandaid solution though - I wouldn't use that as a long term solution as naming conventions tend to change or systems are named improperly and then you have bad data. 

0 Karma
Reply

anmolpatel
Builder
‎07-14-2020 07:24 PM

Are you ingesting the WinHostMon data?

Check using this search

index=myindex sourcetype=WinHostMon source=operatingsystem
| stats count by OS host

If you're, than this should help

index=myindex sourcetype=WinHostMon source=operatingsystem 
| stats values(OS) as OS by host
| append 
    [search index=myindex sourcetype=wineventlog source=WinEventLog:Security
| stats VALUES(EventCode) AS EventCode BY host ]
| stats VALUES(*) AS * BY host

 

0 Karma
Reply

johnfrias
New Member
‎07-15-2020 06:07 AM

Thanks for your response.  The first command against my index didn't populate any data.  I did this for any other of my indexes and nothing came up as well.  

Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-14-2020 03:29 PM

Can you provide an example of your data, otherwise it's impossible to know how OS is represented as a Splunk field.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top