Can you help me with a query to find a universal f...

evolutionxtinct · ‎10-30-2018

Hello,

I'm currently trying to see which devices haven't checked in to Splunk in over +30days. The query i've been using shows only 3 devices. But, when I verify that it has phoned home and sent data to the Indexer, it has — so, I'm not sure why i'm not getting accurate results.

index=_internal sourcetype=splunkd group=tcpin_connections version=* os=* arch=* build=* hostname=* source=*metrics.log
| stats latest(version) as version,latest(arch) as arch,latest(os) as os,latest(build) as build by hostname
| join hostname [ | metadata type=hosts index=*
| eval last_seen_hours=(now()-lastTime)/60/60
| search last_seen_hours > 360
| table host, last_seen_hours
| rex field=host "(?[^\.]+)" | fields - host ]

cboillot · ‎10-30-2018

Do you have the Monitoring Console set up? Its built in to the MC.

FrankVl · ‎10-30-2018

How did you check that the devices were sending data to the indexer? If a UF is only sending internal logs, that will not show in the metadata results for index=*, I believe you need to explicitly search for index=_* as well to get those results.

Can you help me with a query to find a universal forwarder device that hasn't checked in to Splunk over X days?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...