Splunk Search

Devices In Splunk- How can I create syntax, an alert, and create a table?

codeJesus
Engager

Hello, 

please can someone assist with creating syntax to

1. know the numbers of desktop, laptops, servers and network devices that I have onboarded into Splunk cloud?

2. Create alert if a new device is onboarded? 

3. Count the numbers of the different types of devices that have been onboarded 

4. create a table for the above

 

 

thanks  

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

  • desktop and laptops data in the wineventlog index,
  • windows servers data in the winservers index
  • linux servers in the os index
  • network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* 
| stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

 then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ]
| stats count By host

 It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

  • windows servers hostname start with srvwinxxxxx,
  • desktop and laptops hostname  start with dskwinxxxx,
  • linux servers hostname start with srvlnxxxxx,
  • network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

| metasearch index=* 
| dedup host
| sort host
| table host
| eval type=case(like(host,"%srvwin%"),"windows Server",like(host,"%dskwin%"),"windows Desktop",like(host,"%srvlnx%"),"Linux Server",like(host,"%appl%"),"Network Device")
| outputlookup perimeter.csv

Ciao.

Giuseppe

View solution in original post

0 Karma

codeJesus
Engager

Thanks for this. 

does any one know the SPL to check for the windows OS types that have been ingested into Splunk? I have run several SPL queries but it didnt work 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus,

to check the Windows OS ingested you have to install the Splunk_TA_Windows (https://splunkbase.splunk.com/app/742) and enable the input (WinHostMon://OperatingSystem) that sends you the information about the OS.

Then you have only to display these information.

It's obviously a data that doesn't change so frequently, so you can extract it also une time a day or one time a week.

Ciao.

Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @codeJesus,

the solution to your question depends on how you classified your data, in other words:

if you archived e.g.:

  • desktop and laptops data in the wineventlog index,
  • windows servers data in the winservers index
  • linux servers in the os index
  • network devices data in the appliance index

it's easy to make the work you ask:

to solve items 1,2,4 run something like this:

| metasearch index=* 
| stats values(host) AS host count BY index

for the item 3, you have to create a lookup (called e.g. perimeter.csv), to update e.g. every night using a search like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

 then you can create an alert like the following that's firing if there's a new host sending logs:

| metasearch index=* NOT [ | inputlookup perimeter.csv | fields host ]
| stats count By host

 It's a little more complicated if you don't have a classification by index.

In this case, you have to create a lookup like the following

| metasearch index=* 
| dedup host
| sort host
| table host
| outputlookup perimeter.csv

and then manually add the type of the host.

If you have a rule (e.g. a naming convention, you could use it to classify the hosts e.g.;

  • windows servers hostname start with srvwinxxxxx,
  • desktop and laptops hostname  start with dskwinxxxx,
  • linux servers hostname start with srvlnxxxxx,
  • network devices hostname is an IP address or start with applxxxx.

in this case you can extract the type with an eval:

| metasearch index=* 
| dedup host
| sort host
| table host
| eval type=case(like(host,"%srvwin%"),"windows Server",like(host,"%dskwin%"),"windows Desktop",like(host,"%srvlnx%"),"Linux Server",like(host,"%appl%"),"Network Device")
| outputlookup perimeter.csv

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...