Hello,
We recently deployed Splunk in our environment and recently discovered that our engineering teams are cloning systems without clearing out the universal forwarder GUID and related logs prior to cloning the machine.
I'm trying to set up a search and email alert to identify these problematic systems.
I have the following search that I can run on my Deployment Server which will give me back duplicate UF GUIDs and count.
| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1
I also have this search that returns all my UF installations from my deployment server.
| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| rename name as clientName
I need help tying these two searches together.
...search... | rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1) WHERE GUID IN (| rest /services/deployment/server/clients count=0 splunk_server=local| fields hostname name ip dns utsname| stats count by name | where count > 1)
I'm familiar with SQL, but still learning SPL so I'm not sure how to link the two separate searches together with a equivalent SQL IN clause.
Lastly, I want to schedule this search and email me a report of machines with duplicate GUIDs (but not email me an empty report).
Any help is appreciated. Thank you.
↧