New to splunk. I've setup CylancePROTECT App for Splunk. You may be familiar with this, but Cylance has “Zones” that it uses to group and classify devices for a client. So we have one portal setup where each client has their own "Zone". I am needing to specify a particular zone in a search string that will filter only devices within that zone and then create a table that lists only these Cylance Fields – Device Name, Created, Is Online, Offline Date, User
I have been messing around and have found that these search strings are close to providing all of the information I need, but I don’t know how to filter or list only the fields that I want. These commands have every field and also lists every time the device comes up in the logs. I just need 1 row per device.
eventtype=cylance_index sourcetype=device | stats list by "Zones"
eventtype=cylance_index sourcetype=device | stats list by "Device Name"
I would also like to schedule a week/month report for every one of our zones so we’ll know the amount of devices, which are offline and for how long.
... View more