Hi we have list of hosts that are logging splunk and sending logs to splunk .Since when i created the lookup to check whether they are logging splunk .I found wrong results .In below query iam trying to get results that hosts that are not sending logs to splunk . query - |inputlookup samplehostsrecentlist.csv | join type=left host [|tstats count by host] | fillnull value=0 count | search count=0 |fields host os pci count After searching results i found that host that is in list shows sending logs to splunk .Means something wrong with search also when i use metadata search to get results that also shows wrong results. Q:We have 400 hosts list and i created csv file with columns host ,os,pci ,ip .goal is to see whether which hosts are not sending logs to splunk .Also whether it is phone homing splunk deployment server ,when was last time we get events .Please help with query which gives accurate results . I assume that there is something wrong with search or does splunk gives wrong results for even last 24 hour results for when checking more hosts ? i believe splunk gives accurate results . ... View more

Hi , I have a list of firewall hosts names and some ips of firewall and i created the lookup of all host names of firewall along with soem with ip names .Since when iam searching below query iam getting inconsistent results .If i run below query . |inputlookup firewall.csv | join type=left host [|metadata index=pan* OR index=cisco* OR index=juniper* ] | fillnull value=0 lastTime | search lastTime!=0 | convert ctime(lastTime) | fields host lastTime totalCount |sort lastTime Since when i search for index=pan* OR index=cisco* OR index=juniper* |stats count by host correct results .Since using "*" and checking for index with larger time period is taking long time .Please help with query ? Q:Currently we have list of firewall host names and ips .our goal is to find whether these hosts are sending logs to splunk ? ... View more

Hi , We have two lists of CSV files. Each one has 500 hosts and for each we need to figure out among hosts which are reporting to Splunk or not. For that I created a lookup and I'm able to see some hosts are not reporting to Splunk since I need to combine the list and also check which hosts are not reporting to the deployment server. The reason to check the deployment server is that we need to install agents on hosts which do not have among two csv files. So actually I am looking for a search that shows these columns: host, IP age , Last time reporting Splunk and agent version, reporting deployment server or not. I have two queries. Please help me search to check the lists of the servers that are reporting Splunk and the deployment. |metadata type=hosts index=* |lookup samplehostsrecentlist.csv host output PCI host os IP |search PCI=Y |eval age=(now()-recentTime)|search age >1|convert ctime(*Time)| append[ |inputlookup samplehostsrecentlist.csv ] | dedup host | fields host IP PCI os lastTime age | sort lastTime| convert timeformat="%Y-%m-%d %k:%M:%S" ctime(current_time) as current_time ctime(last_login_time) as last_login_time rmunit(age) as numSecs | eval stringSecs=tostring(numSecs,"duration") | eval stringSecs=case(stringSecs="00:00:00", "0+0:0:0", 0=0, stringSecs) | eval stringSecs = replace(stringSecs,"(\d+)\:(\d+)\:(\d+)","\1h \2min \3s") | fields - age current_time numSecs | rename stringSecs as age | sort - age index=_internal source=*metrics.log* fwdType=uf | stats values(version) as Version values(os) as OS values(fwdType) as ForwarderType values(build) as Build by hostname | join type=outer hostname [|inputlookup sample1hostsrecentlist.csv | eval hostname=host | table hostname PCI] | join type=outer hostname [|inputlookup sample2hostsrecentlist.csv | eval hostname=host | table hostname sox] | where PCI="y" OR sox="y" | rename hostname as Host ... View more

We are trying to monitor Firewall events from' X ' Environment coming to Splunk. I took the all hosts (600 hosts) related to 'X' environment and created lookup. I am able to see all events with below search but the search is too expensive and takes almost 15 minutes. For security reasons I took all names of index and Ips .When i search I included them. Can any one help with the search? Search - index=test1 OR index=test2* OR index=test3* action=blocked dest=* NOT(msg="Deny TCP (no connection) from * flags RST on interface *") (src_ip=*/* OR src_ip=*/* OR src_ip=*/* OR src_ip=*/*) | lookup hostlist.csv IP as dest | search list=y | dedup dest_port src_ip dest_ip host rule | table dest_port src_ip dest_ip host rule list ... View more