Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Find all assets in splunk

JandrevdM
Path Finder
‎08-01-2024 07:08 AM

Hi, I am new to Splunk and would like to build a dashboard to find all hosts in environment. This should query all logs to pick up WSL environments, devices ingesting from my security tools and overall just anything with a hostname and classify it as domain joined, server or workstation.

I am using this to then see the devices that has the forwarder installed and then would correlate to see what devices require the splunk forwarder.

index="_internal" source="*metrics.log*" group=tcpin_connections
| dedup hostname
| table date_hour, date_minute, date_mday, date_month, date_year, hostname, sourceIp, fwdType ,guid ,version ,build ,os ,arch
| stats count
Labels (1)
Labels
Tags (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎08-01-2024 11:18 AM

You need to specify your needs more precisely. Finding sources of events is one thing, finding - for example - all hosts shown in firewall logs is a completely different cup of tea.

0 Karma
Reply

JandrevdM
Path Finder
‎08-01-2024 07:53 AM

Hi @gcusello Thanks!

I also tried this but it takes ages to get results.

index=*
| stats dc(computerName) as UniqueHostCount by computerName
| where UniqueHostCount > 0
| stats max(timestamp) by computerName
| table computerName
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2024 08:01 AM

Hi @JandrevdM ,

what's in my search doesn't match your requirement?

then, if you want the list of all your assets, you don't need all that commands, but only a list of hosts.

then UniqueHostCount is always 1 in your search.

them you don't have timestamp from the first stats command, so you cannot use it in the second stats command because after a stats command you have only the fields in the stats.

At least, using tstats you have a more performant search.

Ciao.

Giuseppe

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎08-01-2024 07:43 AM

Hi @JandrevdM ,

with this search you can have only the list of Universal Forwarders and not the list of all devices.

In addition you could have a more performat search in this way:

| tstats count where index=_internal BY host

If you want also other devices, you must use a different filter in where condition, e.g.:

| tstats count where index=_internal OR index=* BY host

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...