Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Finding whether firewall hosts sending logs to splunk ?

splunker969
Communicator
‎11-13-2017 06:46 AM

Hi ,
I have a list of firewall hosts names and some ips of firewall and i created the lookup of all host names of firewall along with soem with ip names .Since when iam searching below query iam getting inconsistent results .If i run below query .

|inputlookup firewall.csv | join type=left host [|metadata index=pan* OR index=cisco* OR index=juniper* ] | fillnull value=0 lastTime | search lastTime!=0 | convert ctime(lastTime) | fields host lastTime totalCount |sort lastTime

Since when i search for
index=pan* OR index=cisco* OR index=juniper* |stats count by host
correct results .Since using "*" and checking for index with larger time period is taking long time .Please help with query ?

Q:Currently we have list of firewall host names and ips .our goal is to find whether these hosts are sending logs to splunk ?

Tags (1)
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 07:04 AM

HI splunker969,
at first invert your main search (inputlookup) with the subsearch, because in subsearches there's the limit of 50,000 results.
What's the result you are waiting for?

Your search isn't visible (use Code Sample button).

if you want to check if all hosts of your lookup send logs, you could run something like this:

| metadata index=pan* OR index=cisco* OR index=juniper*
| eval host=upper(host)
| stats count by host
| append [ | inputlookup firewall.csv | eval host=upper(host), count=0 | fields host count ]
| stats sum(count) AS Total BY host

In this way hosts where Total=0 are missed, hosts with Total>0 are present.

Bye.
Giuseppe

Reply

splunker969
Communicator
‎11-13-2017 07:43 AM

Hi cusello Thanks

Firstly thanks for answers .Since it is showing count = o and count >0 .Also added the" type=hosts",in btw the |metadata and index,
Since I have two columns in csv one host and other is firewall where .When I serach for above query that you gave me is not showing any results in lookup .Showing all results.Also is there any chance if i can search as like |Search firewall =y after lookup csv file so that i can get information which is only present in csv file .Since i performed attaching it to search gives different results .Which do not give results from csv file .

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 08:05 AM

did you checked if lookup's hosts are present in search?
maybe in search hosts are listed with IP instead hostname.
try with 

| search index=pan* OR index=cisco* OR index=juniper*
| eval host=upper(host)
| stats count by host

and see what's the result.
Bye.
Giuseppe

0 Karma
Reply

splunker969
Communicator
‎11-13-2017 08:13 AM

Hi cusello ,I have checked list that contain the hostname .If we use tstats will that give correct results instead of metadata ?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-13-2017 08:15 AM

infact I usually use | metasearch and not | metadata
Bye.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...