- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- Generate 80 reports at the first of each month
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use splunk to collect Cisco firewall data. I have 80 firewalls in my network. I would like a report to be generated which has the results of 3 searches (in table format) for each of my firewalls on the first of every month. I don't think a report can do more than one search and I will probably use a view/dashboard instead. Instead of creating 80 reports manually, how can I use a list of devices to run a report against a view which is then emailed to me when it's complete?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host
The second trick is to use the map command to drive the reports based on the first search:
host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100
Save this search and schedule it to run monthly, emailing you the results.
Repeat for the remaining two searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The first trick is to get a list of the 80 firewalls. There are two ways to do this: one is to use a lookup table. The second way is to get the list by doing a search, which is what I will do (perhaps badly). Let's assume that the following search will return a list of the firewalls:
host=firewall* | dedup host | table host
The second trick is to use the map command to drive the reports based on the first search:
host=firewall* | dedup host | table host
| map search="host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100
Save this search and schedule it to run monthly, emailing you the results.
Repeat for the remaining two searches.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is pretty cool! I didn't know about the map keyword. It didn't work as is, I had to add an extra "search" keyword in there. The final result was this
host=firewall* | dedup host | table host
| map search="search host=$host$ | stats count by error_code event_desc | sort -count" maxsearches=100
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When creating a report I only see one search box that is available. I don't see how I can make a report with multiple search results. That's a dashboard/view not a report/search.
The three searches I want to conduct are:
host=$device$ | stats count by error_code event_desc | sort -count
host=$device$ | eventtype=firewall-deny | stats count by src_ip dest_ip dest_port | sort 25 -count
host=$device$ error_code="111008" | rex field=_raw "User (?<user>.*) executed the (?<command>.*) command." | table _time user command
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually, I think you might be surprised at how much can be combined into a single report.
What are the three searches?
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
