Splunk Search

Count of Occurence of Operating System(OS)

lohit
Path Finder

Hi all,

I have around 8 hosts in my splunk and i searching for a report which will list out

  1. operating systems type in env.
  2. Total no of OS of a specific type.

Please help in search query.

Lohit

Tags (1)
0 Karma
1 Solution

lohit
Path Finder

this works

index=_internal (source=/metrics.log OR source=\metrics.log) |dedup os,hostname| stats count(hostname) by os

View solution in original post

0 Karma

lohit
Path Finder

this works

index=_internal (source=/metrics.log OR source=\metrics.log) |dedup os,hostname| stats count(hostname) by os

0 Karma

lohit
Path Finder

Also i have devised below query to counr the no of ocurences of OS.
index=_internal (source=/metrics.log OR source=\metrics.log) group="tcpin_connections"| dedup os,hostname| stats count(hostname) by os

0 Karma

kristian_kolb
Ultra Champion

Could you please post a few sample lines form the metrics.log? I don't have one in front of me right now.

0 Karma

lohit
Path Finder

i have tried this query to list out the hostname,ip,os,total logs collected. Please tell me what can be the shortcoming of this query.

index=_internal (source=/metrics.log OR source=\metrics.log) group="tcpin_connections"| eval MB=kb/1024 | stats sum(MB) by hostname,sourceHost,os | rename hostname as Source sourceHost as SourceIP os as "Source OS" sum(MB) as "Total Events"

0 Karma

kristian_kolb
Ultra Champion

So what do you have in _internal? Are there messages from the forwarders that contain the information on the OS?

splunkd.log messages will contain the OS information on startup of the forwarder, but that is probably not good enough, since _internal is only retained for 30 days by default. Your forwarders may not reboot that often.

0 Karma

lohit
Path Finder

More to clarify.i am looking to build a report in following format.

OS type Total No of servers
Windows #
Linux #

0 Karma

lohit
Path Finder

yes i am usning universal forwarders but I donot want to use Depoloyment monitor and currently (Win and linux) are sources. I am trying to build a command on _internal index but not able to succeed so far as it is showing the occurences of events corespoinding to a os type. I have to write a query on total count of os field for hostname field.

0 Karma

kristian_kolb
Ultra Champion

What log sources do you have? If you are using forwarders and use the Deployment Monitor, you can easily see this info in the DM 'all forwarders' page.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...