For inventory management purposes, I have been running the below splunk search for years. It first checks Remedy and pulls a few common fields, then compares that against actual firewalls that are actively sending logs into splunk. The output provided a list of firewalls that sends active logs but not in inventory management, and a list of devices in the inventory database which are not sending any active logs.
|set diff [search source=remedyprod TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production | dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=palo source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]
Today, the inventory database is only accessible via an inputlookup. I tried modifying the above to:
|set diff [ |inputlookup ci_netgear | search source=remedyprod MANAGINGUNIT=ITSNI TYPE=NETWORK CATEGORY=HARDWARE ITEM=FIREWALL Status="Deployed" CONFIGURATION=Production Manufacturer="Palo Alto Networks"| dedup CI_Name| table CI_Name | rename CI_Name as Remedy_CI_Name ] [search index=pan_logs_traffic source=palo_alto sourcetype=pan:system| dedup dvc_host | table dvc_host | rename dvc_host as PA_Host_Name]
The result shows the full results of each search. I get a column called Remedy_CI_Name with every firewall and another column called PA_host_name with every firewall. It's like the "set diff" isn't doing anything at all.
any guesses?
thanks
d.