How to Get a List of Windows Hosts When Indexed Wi...

SplunkLunk · ‎06-23-2016

Good morning,

First time poster here. Our organization manages Splunk and allows other people access to Search. However, they have an index for just OS logs so Windows and Linux are mixed in with each other. I'm also trying to find out when the last time a "WinEventLog" source talked to Splunk so I can query machines that are not communicating.

So, can someone tell me how I can search for a Windows host that hasn't forwarded a "WinEventLog" in "X" minutes? I can do the search for the latter part. However, since Linux hosts will never forward a "WinEventLog", I would get the list of Linux hosts within the result. I would really appreciate any help you can give me. Thanks!

woodcock · ‎06-24-2016

You will need 2 searches

The first search maintains a list of hosts that have ever been seen (so you can tell when they disappear). Schedule this search to run every hour for the last hour:

| tstats values(host) AS host WHERE index=<YourIndexHere> sourcetype=WinEventLog | mvexpand host
| appendpipe [|inputcsv WinEventLogHosts.csv ]
| dedup host
| outputcsv WinEventLogHosts.csv

Next schedule this alert to run every minute for the last 5 minutes:

| tstats values(host) AS host WHERE index=<YourIndexHere> sourcetype=WinEventLog | eval type="NEW" | mvexpand host
| appendpipe [|inputcsv WinEventLogHosts.csv | eval type="OLD"]
| stats dc(type) as numTypes values(*) AS * by host
| search numTypes=1 AND type="OLD"

SplunkLunk · ‎06-27-2016

Thanks. I will give this a try and see if it will work for me. I'll report back in the next day or so.

SplunkLunk · ‎07-25-2016

woodcock,

So I'm assuming I would schedule the cron job to run -5m (earliest) to now (latest) and the cron expression would be /1***? Also, what would the trigger be? I'm assuming I'd want to report on anything that shows up as "NEW". Would that be a custom trigger? Sorry to be a pest.

woodcock · ‎07-25-2016

It is whatever your X is. Let's say your reporting threshold is 5 minutes (if a server doesn't log for 5 minutes then it is down). The decide how soon you need to be notified with a number equal-to or less than 5, for example, within 1 minute, then the period will be Every minute or */1 * * * *.

SplunkLunk · ‎07-25-2016

woodcock, I know this has been a while but I didn't notice until our admins gave me access to another domain last week. The first search above works, but it pulls a list from all the domains I have access to. Not just the one defined in the WHERE index= [my index] clause. Any idea why that happens? I explicity state the index and it shows me a combined list from six indexes I have access to. Yet, if I take out the WHERE clause the search doesn't work. So the clause is required but it acts like it's being ignored. Any idea why that would be?

SplunkLunk · ‎07-25-2016

Disregard. Figured it out

woodcock · ‎06-27-2016

With a bit of work, you could get all of this to run in a single search but this is more clear and obvious.

woodcock · ‎06-23-2016

Just setup a Distributed Management Console (DMC). It is easy and you will have to do it sooner or later and it does all that you need now and WAAAAAAY more, most of which you will (know that you) need soon enough:

http://docs.splunk.com/Documentation/Splunk/6.4.1/DMC/DMCoverview

SplunkLunk · ‎06-24-2016

Thanks. But that's not an option for me since I don't administer the console. I could make that request but right now the only tool I have available to me is search. So although the DMC would be the easy way, I need a way to do the equivalent (or similar) via search.

ddrillic · ‎06-23-2016

Exactly as woodcock said - The DMC has a section for the forwarders and you can produce a report of the "missing" ones.

alt text

How to Get a List of Windows Hosts When Indexed With Other OS and Specific Source Type

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies