Hello All
I originally asked a similar question
https://answers.splunk.com/answers/682992/how-do-i-use-a-comparison-search-to-find-all-devic.html
It did seem to work but, it now seems not to be working. So here is what I am doing.
- Get a list of all hosts and IP in our DMZs that are being report live/active via Qualys scan of our networks
- I take results from Qualys scan and place into a lookup file called dmzhosts.csv
- I then take the dmzhosts.csv and run a search for hostname or IP address against index=. I am doing it this way as due to the fact that not every device that is reporting into Splunk has a universal forwarder. I use the following search:
`index=
[ inputlookup dmzhosts.csv
| table IP
| rename IP AS host
| format] OR
[ inputlookup dmzhosts.csv
| table hostname
| rename hostname AS host
| format]
| eval host=upper(host)
| stats count by host
| append [inputlookup dmzhosts.csv | eval count=0, hostname=upper(hostname)|rename hostname as host | fields host, count]
| stats sum(count) AS Total by host
| where Total=0
| outputlookup missingdmzhosts.csv`
The search is only run over for the last 24 hrs and is ran every morning at 6am. My issue is that I have actually setup and verified manually several hosts that were missing, these systems are appliances and can only send syslog, but again I have verified that I see their logs in Splunk. But my search still shows them as missing dmz hosts.
any help would be appreciated.
thanks
ed