Find where actual hostnames don’t match the host from the Universal Forwarder

Hygiene
splunk-pony
You already voted!

Description: This will provide a list of hosts that don’t match the actual host names. This will allow you to find the hosts/IP addresses that need to have the clonefix actions ran against them
This can probably be written better to account for host names that include an underscore in them. Requires access to _internal logs so admins will be the only ones to benefit from this.

index=_internal *_8089_*   event_message="Running phone uri=/services/broker/phonehome/connection_*" 
| dedup event_message
| rex "_(?<ip>\d+\.\d+\.\d+\.\d+)_8089_(?<fqdn>.{1,29})_(?<actualHost>.{1,15})_"
| eval actualHost=lower(actualHost)
| eval host=lower(host)
| table host actualHost ip fqdn uri
| where actualHost!=host

Splunk Query Repository

Find where actual hostnames don’t match the host from the Universal Forwarder

Leave A Comment? Click here to cancel reply.

Splunk Query Repository

Find where actual hostnames don’t match the host from the Universal Forwarder

Related Queries

Remove mulitple values from a multivalue field

Search for duplicate events in Splunk

Parsing Military Time Zones

Leave A Comment? Click here to cancel reply.