Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit my report on inventory of systems to get my expected output?

geoeldsul
Explorer
‎05-02-2016 11:34 AM

Looks like Splunk could be very useful in performing an inventory of systems. I have a report that runs with these parameters:

Src_IP="10.3.30.*" | stats dc(Src_IP) as Src_IP by Security_ID Src_IP | sort src_IP  ( *Run this with a time frame of TODAY*)

It works pretty good and is usable, but I was wondering if some of you long time Splunkers could help me refine it. My output is currently:

MyDomain\System1      10.3.30.15
MyDomain\FSmith       10.3.30.15
NULL SID              10.3.30.15
MyDomian\System2      10.3.30.20
MyDomain\BJones       10.3.30.20
NULL SID              10.3.30.20

So this lets me know that FSmith is using System1 and through a couple of days of checking I can reasonably surmise that FSmith is the dominate user of this system. Same with BJones and System2. How can I make it avoid the NULL SID entry? Is there a way to make it produce output like this:

MyDomain\System1    FSmith    10.3.30.15
MyDomian\System2    BJones    10.3.30.20

or better yet 

System1  FSmith   10.3.30.15
System2  Bjones   10.3.30.20

These systems are remote, so I can't just walk over and do a visual inventory. And we have a couple of remote sites.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

geoeldsul
Explorer
‎05-11-2016 05:51 AM

Ok. Sort of got it figured out. The Answer ... just change what is being searched.

The following is providing better output:

src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host

Example output returned is:

src_nt_host            user          src_ip
system1               JTKirk       10.1.30.15
system2               MRSpock      10.1.30.17

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

geoeldsul
Explorer
‎05-11-2016 05:51 AM

Ok. Sort of got it figured out. The Answer ... just change what is being searched.

The following is providing better output:

src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host

Example output returned is:

src_nt_host            user          src_ip
system1               JTKirk       10.1.30.15
system2               MRSpock      10.1.30.17
0 Karma
Reply
Solved! Jump to solution

geoeldsul
Explorer
‎05-03-2016 04:14 AM

No. Unfortunately these systems are isolated and cannot reach the internet. You can probably see the same type logs in your Windows Security Logs.
LogName=Security
SourceName=Microsoft Windows Security Auditing
EventCode=4624
EventType=0

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-02-2016 12:26 PM

Can you post some sample logs which contains all three type of entry for Security_ID field? (one containing system, second containing user and third with NULL SID)

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...