Splunk Search

How do I edit my report on inventory of systems to get my expected output?

geoeldsul
Explorer

Looks like Splunk could be very useful in performing an inventory of systems. I have a report that runs with these parameters:

Src_IP="10.3.30.*" | stats dc(Src_IP) as Src_IP by Security_ID Src_IP | sort src_IP  ( *Run this with a time frame of TODAY*)

It works pretty good and is usable, but I was wondering if some of you long time Splunkers could help me refine it. My output is currently:

MyDomain\System1      10.3.30.15
MyDomain\FSmith       10.3.30.15
NULL SID              10.3.30.15
MyDomian\System2      10.3.30.20
MyDomain\BJones       10.3.30.20
NULL SID              10.3.30.20

So this lets me know that FSmith is using System1 and through a couple of days of checking I can reasonably surmise that FSmith is the dominate user of this system. Same with BJones and System2. How can I make it avoid the NULL SID entry? Is there a way to make it produce output like this:

MyDomain\System1    FSmith    10.3.30.15
MyDomian\System2    BJones    10.3.30.20 

or better yet

System1  FSmith   10.3.30.15
System2  Bjones   10.3.30.20

These systems are remote, so I can't just walk over and do a visual inventory. And we have a couple of remote sites.

0 Karma
1 Solution

geoeldsul
Explorer

Ok. Sort of got it figured out. The Answer ... just change what is being searched.

The following is providing better output:

src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host

Example output returned is:

src_nt_host            user          src_ip
system1               JTKirk       10.1.30.15
system2               MRSpock      10.1.30.17

View solution in original post

0 Karma

geoeldsul
Explorer

Ok. Sort of got it figured out. The Answer ... just change what is being searched.

The following is providing better output:

src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host

Example output returned is:

src_nt_host            user          src_ip
system1               JTKirk       10.1.30.15
system2               MRSpock      10.1.30.17

View solution in original post

0 Karma

geoeldsul
Explorer

No. Unfortunately these systems are isolated and cannot reach the internet. You can probably see the same type logs in your Windows Security Logs.
LogName=Security
SourceName=Microsoft Windows Security Auditing
EventCode=4624
EventType=0

0 Karma

somesoni2
Revered Legend

Can you post some sample logs which contains all three type of entry for Security_ID field? (one containing system, second containing user and third with NULL SID)

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!