Labeling of Scans

barronj · ‎11-07-2013

So apologies in advance if this question really has to do with my general ignorance of Splunk - I'm just getting my feet wet.

I've got Splunk for Asset Discovery set up, have run a couple of test scans with custom targets and am getting results.

In my intended usage, it would be useful for me to be able to filter/search by a label that relates to the specific subnet I'm scanning - I have several hundred subnets that I need to scan, and although I would guess I can search by the subnet info (haven't worked that out yet) it would be more useful to be able to immediately filter by Location XYZ (I would have a one-to-one mapping of locations to subnets), or better yet to be able to generate reports showing all locations(subnets) that responded (or didn't), or had a change in the last day, etc.

I can't see how I could do that with the fields that are available to me when cloning the default inputs for this app to create custom inputs.

I'm wondering if I could use the Host Field shown under "more settings", but unsure whether this would have unintended effects.

Assuming that field is one I can search for and filter/sort by, it would probably get the job done for me, if there are no unintended effects.

Thanks for any help! If there is a better path to the same result, I'd love to hear it.

mw · ‎11-08-2013

I'm not sure I have quite enough info from your post to give a really solid answer, but I'll give a few thoughts here and we can whittle those down. First, let me explain a bit about how I think I might do that. The app can be sent to universal forwarders, and in fact is really intended to be. So, at a basic level it's certainly possible to set up a forwarder on each subnet and push the app to it. At that point, the reported "host" value would be that of the forwarder, so each subnet would theoretically be represented by a single host/scan point, and you would filter for that (i.e. in the "Host Overview" page you could enter host=scan_point1, etc). The benefit there is that you'd get very fast scans because they'd all be running in parallel. Of course, that may not be possible for any number of reasons, so you could also choose to (as you mentioned in your post) manually set the host value for the various inputs, even without having different hosts actually performing the scans.

There's also an existing "lookup" in the app (in $SPLUNK_HOME/lookups/geoip_internal.csv.example), which can be configured to associate a CIDR range with a city, latitude, and longitude. The use of that lookup isn't pervasive in the app at this point -- it's really just used on the GeoMap view -- but you could certainly configure it as an automatic lookup and doing so would allow you to filter by the "city" value (doesn't really even need to be the name of a city, but could be just an arbitrary location name, and you could even modify the lookup from "city" to "location"). The benefit there is that taking the time to setup latitude and longitude will allow you to use the map to view the various locations by the up/down status, etc. The "Host Overview" page would then allow you to filter for "city=scan_point1", etc, as well. You could also just set up your own automatic lookup outside of the one mentioned in order to add your own label field to groups.

I think that it would be ideal to actually implement both of those, getting the best granularity possible with the "host" field by having multiple scan points, and then to also use an automatic lookup to add additional criteria.

barronj · ‎11-08-2013

Thanks Mike - as you know, further details provided via mail. I appreciate your help!

Labeling of Scans

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!