Splunk McAfee Logging: How to search what devices ...

jackshultz · ‎02-15-2016

I am trying to pull information from the ePO server into Splunk to detect agents that are not reporting in. On the device itself, it does report a communication failure, but that is generally when there is no connection. On the ePO server, the best way to determine what we are looking for is to look at the last login time which checks each agent every 60 minutes. How can I search in Splunk to show devices that aren't reporting after 60 minutes? Any information is greatly appreciated. Thank you.

vasildavid · ‎02-16-2016

You could use a metadata search and a lookup table to show you which devices aren't reporting in. I use this search for finding domain controllers that have not reported in events recently:

| inputlookup append=t domain_controller_list 
| fields nt_host 
| eval nt_host=upper(nt_host)
| where NOT [| metadata index=windows_eventlog type=hosts earliest=-60m@m latest=now
             | where lastTime > relative_time(now(), "-60m@m") 
             | rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host
             | eval nt_host=upper(nt_host)]
| sort nt_host

The inputlookup domain_controller_list is just a list of my domain controllers that I expect to be logging to my windows_eventlog index. Change the |metadata search earliest and relative_time parameters to your needs.

jackshultz · ‎02-16-2016

I will try this out. Thank you so much and I will let you know if I got it to work.

Splunk McAfee Logging: How to search what devices have not been reporting after 60 minutes?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life