Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Finding whether firewall hosts sending logs to splunk ?

splunker969
Communicator
‎11-13-2017 06:46 AM

Hi ,
I have a list of firewall hosts names and some ips of firewall and i created the lookup of all host names of firewall along with soem with ip names .Since when iam searching below query iam getting inconsistent results .If i run below query .

|inputlookup firewall.csv | join type=left host [|metadata index=pan* OR index=cisco* OR index=juniper* ] | fillnull value=0 lastTime | search lastTime!=0 | convert ctime(lastTime) | fields host lastTime totalCount |sort lastTime

Since when i search for
index=pan* OR index=cisco* OR index=juniper* |stats count by host
correct results .Since using "*" and checking for index with larger time period is taking long time .Please help with query ?

Q:Currently we have list of firewall host names and ips .our goal is to find whether these hosts are sending logs to splunk ?

Tags (1)
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 07:04 AM

HI splunker969,
at first invert your main search (inputlookup) with the subsearch, because in subsearches there's the limit of 50,000 results.
What's the result you are waiting for?

Your search isn't visible (use Code Sample button).

if you want to check if all hosts of your lookup send logs, you could run something like this:

| metadata index=pan* OR index=cisco* OR index=juniper*
| eval host=upper(host)
| stats count by host
| append [ | inputlookup firewall.csv | eval host=upper(host), count=0 | fields host count ]
| stats sum(count) AS Total BY host

In this way hosts where Total=0 are missed, hosts with Total>0 are present.

Bye.
Giuseppe

Reply

splunker969
Communicator
‎11-13-2017 07:43 AM

Hi cusello Thanks

Firstly thanks for answers .Since it is showing count = o and count >0 .Also added the" type=hosts",in btw the |metadata and index,
Since I have two columns in csv one host and other is firewall where .When I serach for above query that you gave me is not showing any results in lookup .Showing all results.Also is there any chance if i can search as like |Search firewall =y after lookup csv file so that i can get information which is only present in csv file .Since i performed attaching it to search gives different results .Which do not give results from csv file .

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 08:05 AM

did you checked if lookup's hosts are present in search?
maybe in search hosts are listed with IP instead hostname.
try with 

| search index=pan* OR index=cisco* OR index=juniper*
| eval host=upper(host)
| stats count by host

and see what's the result.
Bye.
Giuseppe

0 Karma
Reply

splunker969
Communicator
‎11-13-2017 08:13 AM

Hi cusello ,I have checked list that contain the hostname .If we use tstats will that give correct results instead of metadata ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 08:15 AM

infact I usually use | metasearch and not | metadata
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...