Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filtering by OS

johnfrias
New Member
‎07-14-2020 02:10 PM

I have the outcome of my search results but I want to filter by only OS.  I was able to get all the results but need to filter it down to Windows Server OS's.  What am I missing?

Current search:  index="myindex" "eventcode=NUMBER"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

danielansell
Path Finder
‎07-15-2020 07:25 AM

Splunk can only help if you have the data available to filter. As someone else mentioned, winhostmon data will get OS data into Splunk. I use the Splunk Windows TA to get this data into Splunk. Then when I want to search on a specific class, I use a subsearch

 

index=main EventCode=4624 Logon_Type=2 
[index=windows OS="Microsoft Windows 10*"  |  fields host]

 

That subsearch looks for all systems with a Windows 10 variant (enterprise, pro, etc) and effectively adds the hostnames as an 'OR' to your base search - basically it becomes

 

index=main EventCode=4624 Logon_Type=2 host1 OR host2 OR host3 OR host4

 

 

If you don't have OS data in Splunk, but need the data now, you may be able to get creative and use the host name if you have a good naming convention in place - that is, if you know all workstations are running Win 10 Pro, and all workstation names start with WKS, you could simply use something like this:

 

index=main host=wks* EventCode=4624 Logon_Type=2

 

 That last example would just be a bandaid solution though - I wouldn't use that as a long term solution as naming conventions tend to change or systems are named improperly and then you have bad data. 

0 Karma
Reply

anmolpatel
Builder
‎07-14-2020 07:24 PM

Are you ingesting the WinHostMon data?

Check using this search

index=myindex sourcetype=WinHostMon source=operatingsystem
| stats count by OS host

If you're, than this should help

index=myindex sourcetype=WinHostMon source=operatingsystem 
| stats values(OS) as OS by host
| append 
    [search index=myindex sourcetype=wineventlog source=WinEventLog:Security
| stats VALUES(EventCode) AS EventCode BY host ]
| stats VALUES(*) AS * BY host

 

0 Karma
Reply

johnfrias
New Member
‎07-15-2020 06:07 AM

Thanks for your response.  The first command against my index didn't populate any data.  I did this for any other of my indexes and nothing came up as well.  

Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-14-2020 03:29 PM

Can you provide an example of your data, otherwise it's impossible to know how OS is represented as a Splunk field.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...