Getting Data In

Identifying Windows hosts

steveirogers
Communicator

I am trying to identify "windows hosts" that are logging to my Splunk indexer. Unfortunately, neither the hosts/server names nor anything like IP address subnet, have a pattern that uniquely identify my windows hosts for using a REGEX. I have looked at the metadata function and that does give me list of hosts, but that does not help because I cannot tell which hosts are "windows".

Here is what I have tried so far:
1. I created an eventtype=windows_hosts based on the following search: (sourcetype=windowsupdate OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System") | dedup host | table host
2. This gives me the list I want, but the list is now derived by searching through the events which I am sure will be a lot of overhead depending on the timeframe I use.

Is there a simpler/more efficient way to generate this data?

Thanks.

Tags (1)
0 Karma

yongly
Path Finder

This may be a bit late but you can always look up the summary_forwarders index for your search. I use this subsearch to look for data from only windows hosts:

index=os [ search index="summary_forwarders" os=windows | table sourceHost | dedup sourceHost | rename sourceHost as host ]

0 Karma

steveirogers
Communicator

Hello yongly. Thanks very much for your response. I should have thought of the deployment monitor. I just installed it and it helped me pinpoint the problem host. Thanks.

0 Karma

yongly
Path Finder

alternatively if your index only has windows only data, you can grab the list of hostnames using the metadata command:

| metadata type=hosts index=

0 Karma

yongly
Path Finder

I think that this index may only be available if you install the deployment monitor app, but it's worthwhile to install if you don't have it.

dart
Splunk Employee
Splunk Employee

You can generate a lookup table which contains the hosts which you have seen Windows data for in the past. This search will merge them into a lookup, so you could schedule it to run each day or another appropriate time period.

sourcetype=windowsupdate OR sourcetype="WinEventLog:Application" OR sourcetype="WinEventLog:Security" OR sourcetype="WinEventLog:System" | stats count by host | eval isWinHost=1 | fields host isWinHost | inputlookup append=T windows_hosts.csv | outputlookup windows_hosts.csv

You can then use this lookup table to check if a host is a Windows host, or you can get a list of all Windows hosts by using the inputlookup command.

0 Karma

steveirogers
Communicator

Thanks very much Dart. I will try that.

0 Karma

steveirogers
Communicator

Thanks Cvajs. Acutally, I do have all the windows servers going to "windows-only" indexes. However, my question is what is the most efficient way of reporting on those hosts? I can do the search you mentioned but searches through all the events again to extract the host field. The gist of my question was whether I could get Splunk to dynamically maintain a list of windows-hosts at indexing time rather than at search time. But in retrospect that might not make much sense.

Thanks very much.

0 Karma

cvajs
Contributor

well, your question to me sounds like you have disparate types of sources being dumped into the same index and now you wish to search the index for just windows systems. can you configure Splunk to dump all of your windows sources into a "windows_only" index? if you do this then you dont need a custom eventtype, you just search the index directly as it will return data that is just windows related, etc. now your search becomes "index=windows_only | table host", or, if the user role is pinned to windows_only then all you need is "table host".

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...