The following Splunk query will return results of any host using a universal forwarder to transmit data back to a Splunk indexer. The query will return hostname, version, as well as architecture (64-bit vs 32-bit).
1 |
index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* | eval Hostname=if(isnull(hostname), sourceHost,hostname) | eval version=if(isnull(version),"pre 4.2",version) | eval architecture=if(isnull(arch),"n/a",arch) | stats count by Hostname version architecture | sort + version |
I am looking for some use cases regarding perimeter firewall. I have paloalto
Rashid47010, we are going to be adding a request for query section here soon where you can post stuff just like this! Stay tuned!