Search Results in Splunk

To view selected syslog data from Asset Manager in Splunk:

  1. On the Splunk Apps page, select Asset Manager App for Splunk.
  2. Select the Search tab (if you are not there already).
  3. Enter your search criteria. Examples follow:
    1. source=”tcp:9997”
    2. index=Asset Manager
    3. sourcetype=”Asset Manager_log_parser”
    4. now combine all 3 into one search
    5. index=Asset Manager sourcetype=”Asset Manager_log_parser” source=”tcp:9997”
    6. index=Asset Manager sourcetype="Asset Managerapiparser" *|table "Account ID" "Instance ID" "Public IP Address" Provider numberofinterfaces Name Region securitygroupsids{}{} | where numberofinterfaces not null and Provider not null and Name not null and Region not null| rename securitygroupsids{}{} as securitygroupsids

    7. index=Asset Manager sourcetype=Asset Managerapiparser * |table "First Observed" "Last Observed" "DNS name" active device_id Device_Type inbound IP_Address known MAC_Address Operating_System outbound scantypes{} protocols{} snmpaccessible snmpresponder target vendor version zoneid zonename| search "First Observed"=* OR "DNS name"=* OR "Last Observed"=* OR active=* OR device_id=* OR Device_Type=* OR inbound=* OR IP_Address=* OR known=* OR MAC_Address=* OR Operating_System=* OR outbound=* OR scantypes{}=* OR protocols{}=* OR snmpaccessible=* OR snmpresponder=* OR target=* OR vendor=* OR version=* OR zoneid=* OR zonename=*

    8. index=Asset Manager sourcetype="Asset Managerapiparser" |table os count time| fields - time
      | where count not null and os not null

    9. index=Asset Manager sourcetype="Asset Managerapiparser" * source_name=* | table ip os devicetype dns mac ts

    10. index=Asset Manager sourcetype="Asset Managerapiparser" * |table integrationname enabled count ts|where integrationname not nul

Sample Search Results