- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I edit my report on inventory of systems to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looks like Splunk could be very useful in performing an inventory of systems. I have a report that runs with these parameters:
Src_IP="10.3.30.*" | stats dc(Src_IP) as Src_IP by Security_ID Src_IP | sort src_IP ( *Run this with a time frame of TODAY*)
It works pretty good and is usable, but I was wondering if some of you long time Splunkers could help me refine it. My output is currently:
MyDomain\System1 10.3.30.15
MyDomain\FSmith 10.3.30.15
NULL SID 10.3.30.15
MyDomian\System2 10.3.30.20
MyDomain\BJones 10.3.30.20
NULL SID 10.3.30.20
So this lets me know that FSmith is using System1 and through a couple of days of checking I can reasonably surmise that FSmith is the dominate user of this system. Same with BJones and System2. How can I make it avoid the NULL SID entry? Is there a way to make it produce output like this:
MyDomain\System1 FSmith 10.3.30.15
MyDomian\System2 BJones 10.3.30.20
or better yet
System1 FSmith 10.3.30.15
System2 Bjones 10.3.30.20
These systems are remote, so I can't just walk over and do a visual inventory. And we have a couple of remote sites.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. Sort of got it figured out. The Answer ... just change what is being searched.
The following is providing better output:
src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host
Example output returned is:
src_nt_host user src_ip
system1 JTKirk 10.1.30.15
system2 MRSpock 10.1.30.17
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok. Sort of got it figured out. The Answer ... just change what is being searched.
The following is providing better output:
src_ip="10.1.30.*" |stats dc(src_nt_host) by src_nt_host user src_ip | sort src_nt_host
Example output returned is:
src_nt_host user src_ip
system1 JTKirk 10.1.30.15
system2 MRSpock 10.1.30.17
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No. Unfortunately these systems are isolated and cannot reach the internet. You can probably see the same type logs in your Windows Security Logs.
LogName=Security
SourceName=Microsoft Windows Security Auditing
EventCode=4624
EventType=0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post some sample logs which contains all three type of entry for Security_ID field? (one containing system, second containing user and third with NULL SID)
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
