Splunk search for Forwarders with certificate errors

Copy
index=_internal sourcetype=splunkd HttpListener "Socket error from " | rex "(?<errorLog>WARN\s+HttpListener\s.*?Socket error.*)" | rex field=errorLog "WARN\s+HttpListener\s.*?Socket error from\s+(?<ip>[^ ]+)" | rename ip as uf_ip | stats earliest(_time) AS Earliest latest(_time) as Latest count by uf_ip host errorLog | eval Earliest=strftime(Earliest,"%b %m, %Y %H:%M:%S") | eval Latest=strftime(Latest,"%b %m, %Y %H:%M:%S") | table Earliest Latest uf_ip errorLog count | sort - count | rename Earliest as "First Seen", Latest as "Last Seen", uf_ip as "Source IP", errorLog as "Error Log", count as Count
This Splunk search will return details on Universal Forwarders that are reporting errors relating to certificates.
0 comments

Category:

General Splunk


Tags:


Search Commands:

Sign in or Register to submit a comment