Splunk Search

How can I put results of Windows updates results per host on a map by location?

AROJ
New Member

I have a query for Windows updates per host. But I NEED to put those on a map. Is it via ''geostats''????

index=* host=* 
sourcetype="WinEventLog:System" eventtype=windows_system_update
| timechart  sum(eval(eventtype="eventlog_Update_Successful")) as Installed 
    sum(eval(eventtype="eventlog_Update_Failed")) as Failed
0 Karma

AROJ
New Member

Thank you,

In this case:
-- | stats count as mycount by hostip Status --

''mycount'' should be the name of the event, right? as Updates?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

In order to do that, you need to keep some information that will allow you to map the data. You won't be able to use timechart, which is incompatible to this usage.

You need to turn some information you have into a country name or a latitude and longitude.

Let's suppose there is a field called hostip. You can use iplocation to turn the ip into lat/long and then

 index=* host=* sourcetype="WinEventLog:System" eventtype=windows_system_update
( eventtype="eventlog_Update_Successful" OR eventtype="eventlog_Update_Failed")
| eval Status=if(eventtype="eventlog_Update_Successful","Installed","Failed")
| stats  count as mycount by hostip Status
| rename COMMENT as "The above flattens the data"

| rename COMMENT as "Now we map it."
| iplocation hostip
| stats sum(mycount) as mycount by lat lon Status 
| geostats sum(mycount) as count by Status

Here's some run-anywhere test data to play with ...

| makeresults 
| eval mydata="Failed,31.31.191.255,3 Failed,221.192.199.49,7 Installed,31.31.191.255,5 Installed,221.192.199.49,2"
| makemv mydata
| mvexpand mydata
| makemv delim="," mydata
| eval cs_username=mvindex(mydata,0)
| eval c_ip=mvindex(mydata,1)
| eval {cs_username} = mvindex(mydata,2)
| rename c_ip as hostip
| fields - mydata
| rename COMMENT as "The above just creates test data"

| stats sum(*) as * by hostip
| untable hostip Status mycount
| rename COMMENT as "The above flattens the data"

| rename COMMENT as "Now we map it."
| iplocation hostip
| stats sum(mycount) as count by lat lon Status 
| geostats sum(count) as count by Status
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...