How do I phrase a search to give me all the machines sending data and their OS type?
I know this is an old thread but, here is how I do it :
index=_internal fwdType="*"|dedup sourceHost| table sourceHost, os
The best approach is almost certainly going to be to use a lookup table.
See the link for information on setting up a CSV-based lookup. Once you have such a lookup, you'll be able to do a search such as:
| metadata hosts | lookup mylookup host OUTPUT operating_system
If you have a scripted input running uname -a
as Genti suggests, that can be used to populate your table, e.g.:
sourcetype=uname | fields host, operating_system | outputlookup mylookup
Another approach, if you're lucky enough to have all systems in some form of directory would be to use a scripted lookup that leverages LDAP to query (for example) Active Directory.
In a real pinch, you may be able to partially fill your CSV file from data within Splunk. For example, if you see WMI events, you can safely assume that it's a Windows system, and if you see 'ASA' or 'PIX' in syslog data, it's clearly a Cisco firewall.
Ultimately though, the chances are you'll need to manually populate the CSV file.
host=*
i do not think there is a way to find out their OS, unless you have some script running uname -a
and splunk eating its output...