The following Splunk query will return results of any host using a universal forwarder to transmit data back to a Splunk indexer. The query will return hostname, version, as well as architecture (64-bit vs 32-bit).
index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),"pre 4.2",version) | eval architecture=if(isnull(arch),"n/a",arch) | stats count by Hostname version architecture | sort + version
I am looking for some use cases regarding perimeter firewall. I have paloalto
Rashid47010, we are going to be adding a request for query section here soon where you can post stuff just like this! Stay tuned!
For Windows
index=”_internal” sourcetype=splunkd group=tcpin_connections NOT eventType=* source=”C:\\Program Files\\SplunkUniversalForwarder\\var\\log\\splunk\\metrics.log” | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),”pre 4.2″,version) | eval architecture=if(isnull(arch),”n/a”,arch) | dedup hostname,_time | stats count by Hostname version architecture | sort + version
Just Linux
index=”_internal” sourcetype=splunkd group=tcpin_connections NOT eventType=* source=”/opt/splunk/var/log/splunk/metrics.log” | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),”pre 4.2″,version) | eval architecture=if(isnull(arch),”n/a”,arch) | dedup hostname,_time | stats count by Hostname version architecture _time | sort + Hostname +version