-
Notifications
You must be signed in to change notification settings - Fork 3
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add host to the device inventory v2 from internal logs #382
Add host to the device inventory v2 from internal logs #382
Conversation
hardikhdholariya
commented
Aug 28, 2023
- Added the table border of the expanded tables
- Added savedsearch to add host to the device inventory v2 from internal logs
@@ -3506,7 +3506,7 @@ search = `cs_lansweeper` `cs_lansweeper_timerange` \ | |||
| eval product_name="Lansweeper", product_uuid=AssetID, hostname=lower(mvdedup(mvappend(AssetName, FQDN))), ip=lower(IPAddress), mac_address=lower(Mac), antivirus=mvzip(antivirus_name, antivirus_enabled, "#") \ | |||
| rename _time as time, AssetID as lansweeper_id, host as lansweeper_collected_by, site_name as Site, AssetTypename as AssetType, Statename as lansweeper_state, Userdomain as Domain, AssetGroup as GroupName, OScode as OSVersion, Username as lansweeper_user, version as AssetVersion, OS as lansweeper_os, FQDN as lansweeper_fqdn, Firstseen as FirstSeen, Lastseen as LastSeen \ | |||
| fillnull value="" hostname mac_address ip \ | |||
| dedup hostname mac_address ip \ | |||
| dedup hostname mac_address ip ```In order to avoid the duplicate entries of the similar devices which has diff AssetID``` \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We need to remove this as we discussed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we've discussed to remove it. but I found it useful in some scenarios as following:
If 2 assets with diff assetid and same host and empty mac & ip will be there then
- dedup will treat it as a one asset
- without using dedup, it will be 2 assets in device inventory because it considers the same asset only if 2 property(from host, ip, mac) is same (where values should not be empty or null).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok
| stats latest(sourceIp) as ip, latest(fwdType) as forwarder_type, latest(version) as version, latest(arch) as arch, latest(os) as os, max(_time) as time values(splunk_server) as splunk_server by hostname \ | ||
| eval product_name="Splunk Internal", product_uuid=hostname."-".ip, mac_address="" \ | ||
| cyencesdevicemanager operation="addentries" | ||
action.cyences_notable_event_action.products = Splunk Internal |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mahirchavda - Please review this and advice.
@@ -3705,6 +3705,27 @@ search = `cs_kaspersky` ProductName=KES* \ | |||
| outputlookup cs_kaspersky_inventory_v2 | |||
action.cyences_notable_event_action.products = Kaspersky | |||
|
|||
[Device Inventory - Splunk Internal - V2] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be similar to Lansweeper. Get the latest things only, and we can delete old stuff.
5843158
into
CY-500-implement-device-inventoy-v2
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mahirchavda - I think this needs to be changed outside minified JS. Please work with @mahirchavda do make that change.