Add host to the device inventory v2 from internal logs #382
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
hardikhdholariya
commented
Aug 28, 2023
hardikhdholariya
commented
- Added the table border of the expanded tables
- Added savedsearch to add host to the device inventory v2 from internal logs
| @@ -3506,7 +3506,7 @@ search = `cs_lansweeper` `cs_lansweeper_timerange` \ | |||
| | eval product_name="Lansweeper", product_uuid=AssetID, hostname=lower(mvdedup(mvappend(AssetName, FQDN))), ip=lower(IPAddress), mac_address=lower(Mac), antivirus=mvzip(antivirus_name, antivirus_enabled, "#") \ | |||
| | rename _time as time, AssetID as lansweeper_id, host as lansweeper_collected_by, site_name as Site, AssetTypename as AssetType, Statename as lansweeper_state, Userdomain as Domain, AssetGroup as GroupName, OScode as OSVersion, Username as lansweeper_user, version as AssetVersion, OS as lansweeper_os, FQDN as lansweeper_fqdn, Firstseen as FirstSeen, Lastseen as LastSeen \ | |||
| | fillnull value="" hostname mac_address ip \ | |||
| | dedup hostname mac_address ip \ | |||
| | dedup hostname mac_address ip ```In order to avoid the duplicate entries of the similar devices which has diff AssetID``` \ | |||
There was a problem hiding this comment.
We need to remove this as we discussed.
There was a problem hiding this comment.
Yes, we've discussed to remove it. but I found it useful in some scenarios as following:
If 2 assets with diff assetid and same host and empty mac & ip will be there then
- dedup will treat it as a one asset
- without using dedup, it will be 2 assets in device inventory because it considers the same asset only if 2 property(from host, ip, mac) is same (where values should not be empty or null).
| | stats latest(sourceIp) as ip, latest(fwdType) as forwarder_type, latest(version) as version, latest(arch) as arch, latest(os) as os, max(_time) as time values(splunk_server) as splunk_server by hostname \ | ||
| | eval product_name="Splunk Internal", product_uuid=hostname."-".ip, mac_address="" \ | ||
| | cyencesdevicemanager operation="addentries" | ||
| action.cyences_notable_event_action.products = Splunk Internal |
There was a problem hiding this comment.
@mahirchavda - Please review this and advice.
| @@ -3705,6 +3705,27 @@ search = `cs_kaspersky` ProductName=KES* \ | |||
| | outputlookup cs_kaspersky_inventory_v2 | |||
| action.cyences_notable_event_action.products = Kaspersky | |||
|
|
|||
| [Device Inventory - Splunk Internal - V2] | |||
There was a problem hiding this comment.
This should be similar to Lansweeper. Get the latest things only, and we can delete old stuff.
VatsalJagani
approved these changes
Aug 29, 2023
hardikhdholariya
merged commit 5843158
into
CY-500-implement-device-inventoy-v2
1 check passed
There was a problem hiding this comment.
@mahirchavda - I think this needs to be changed outside minified JS. Please work with @mahirchavda do make that change.
VatsalJagani
deleted the
Add-host-to-the-device-inventory-v2-from-_internal-logs
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.