Splunk Search

How to get Splunk machine configurations in a search result such as operating systems and versions?

snehalk
Communicator

Hello All,

How can we get machine configuration from a Splunk search? I am trying the search below. Here we are able to get OS information, but in Windows, we have server types like Windows 2003/2008/2012 and we haven't been able to find this.

Search:

index=_internal source=*metrics.log group=tcpin_connections | eval sourceHost=if(isnull(hostname), sourceHost,hostname) | dedup sourceHost | table sourceHost sourceIP os version | sort version

Can any one help me on this?

Thanks

0 Karma

wrangler2x
Motivator
| rest /services/deployment/server/clients  splunk_server=local
| foreach applications.*.restartSplunkd [eval Apps=if(isnotnull('<<FIELD>>'), mvappend(Apps, "<<MATCHSTR>>"), Apps)]
| foreach serverClasses.*.restartSplunkd [eval ServerClasses=if(isnotnull('<<FIELD>>'), mvappend(ServerClasses, "<<MATCHSTR>>"), ServerClasses)]
| eval Forwarder = lower(dns)
| rex field=utsname "(?<os>[^\-]+)\-(?<arch>.+)"
| eval os = case(os == "linux", "Linux", os == "windows", "Windows", arch == "sun4u", "Solaris", arch == "sun4v", "Solaris")
| fields - utsname
| lookup version2build.csv build
| rename dns AS Forwarder, averagePhoneHomeInterval AS PHI
| stats values(Apps) AS Apps, values(ServerClasses) AS ServerClasses count by Forwarder ip os arch version build clientName splunk_server PHI lastPhoneHomeTime
| fieldformat lastPhoneHomeTime=strftime(lastPhoneHomeTime, "%F %T")
| eval missing=now()-lastPhoneHomeTime-PHI | eval missing=if(missing<0, 0, missing)
| eval Missing=case (missing==0, "No", missing==1, "Yes")
| fields - missing
| addtotals count col=t row=f

If you see that Apps and ServerClass for a system to be blank, it means it is not in your configs on the Deployment Server but the system has a forwarder that is connecting to your indexer (as long as Missing is "No" that is).

0 Karma

lguinn2
Legend

If the REST API doesn't give you what you want, you could very easily write a scripted input and deploy it via the deployment server to your forwarders. You would probably want two different apps - one for Linux forwarders and one for Windows forwarders.

The one for Windows might be a batch script that looks something like this:

get_info.bat
date
time
hostname
systeminfo

Of course, you will need an inputs.conf stanza for your scripted input. Here is the documentation.

0 Karma

bmacias84
Champion

I am assuming you are using a deployment server and Splunk 6.2 or higher. The information you want is available via the REST API. You will need to run this from the DMC (Distributed Management Console or Locally from the Deployment server if you want to use search.

| rest  /services/deployment/server/clients | fields - applications*, serverClasses*

OR

 | rest splunk_server=<splunk_deployment_server> /services/deployment/server/clients | fields - applications*, serverClasses*
0 Karma

snehalk
Communicator

Hello bmacias,

Thanks for search query, we are running in 6.1.8, and when i ran above query in deployment server did not found windows details, its only have information regarding 32 or 64 bit, could you please guide me here? how will get information on which machine? (like windows server 2003/2008/2012)

Thanks

0 Karma

bmacias84
Champion

If you need additional detail the windows_ta should have inputs to collect host, os version, patches, etc. Unless you have an app or class which is only deployed to each type of windows server, then you could use an eval. Basically what @lguinn stated.

0 Karma
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...