Search Results in Splunk

To view selected syslog data from Asset Manager in Splunk:

1. On the Splunk Apps page, select Asset Manager App for Splunk.
2. Select the Search tab.
3. Enter your search criteria. Examples follow:
   
• source=”tcp:9997”
• index=Asset Manager
• sourcetype=”Asset Manager_log_parser”
• Combine all three into one search
  • index=Asset Manager sourcetype=”Asset Manager_log_parser” source=”tcp:9997”

  • index=Asset Manager sourcetype="Asset Managerapiparser" *|table "Account ID" "Instance ID" "Public IP Address" Provider numberofinterfaces Name Region securitygroupsids{}{} | where numberofinterfaces not null and Provider not null and Name not null and Region not null| rename securitygroupsids{}{} as securitygroupsids

  • index=Asset Manager sourcetype=Asset Managerapiparser * |table "First Observed" "Last Observed" "DNS name" active device_id Device_Type inbound IP_Address known MAC_Address Operating_System outbound scantypes{} protocols{} snmpaccessible snmpresponder target vendor version zoneid zonename| search "First Observed"=* OR "DNS name"=* OR "Last Observed"=* OR active=* OR device_id=* OR Device_Type=* OR inbound=* OR IP_Address=* OR known=* OR MAC_Address=* OR Operating_System=* OR outbound=* OR scantypes{}=* OR protocols{}=* OR snmpaccessible=* OR snmpresponder=* OR target=* OR vendor=* OR version=* OR zoneid=* OR zonename=*

  • index=Asset Manager sourcetype="Asset Managerapiparser" |table os count time| fields - time
    | where count not null and os not null

  • index=Asset Manager sourcetype="Asset Managerapiparser" * source_name=* | table ip os devicetype dns mac ts

  • index=Asset Manager sourcetype="Asset Managerapiparser" * |table integrationname enabled count ts|where integrationname not nul