You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Here is an example where we get a basic inventory of our FlexPod...
@@ -472,24 +472,39 @@ So it seems very easy to search for Tags{}.Value=Premier if you wanted to find a
472
472
The solution that I've come up with using only native Splunk SPL is pretty complex but appears to be safe to use. Here is an example...
473
473
474
474
```SPL
475
-
index=* sourcetype="cisco:intersight:*" | dedup Moid | rename Tags{}.Key as Key, Tags{}.Value as Value | eval zip=mvzip(Key,Value, ":") | mvexpand zip |rex field=zip mode=sed "s/$/\"}/g" |rex field=zip mode=sed "s/^/{\"Tags./g"| rex field=zip mode=sed "s/:/\": \"/g" | spath input=zip | transaction Moid | search Tags.Intersight.LicenseTier=Premier`
475
+
index=* sourcetype="cisco:intersight:*"
476
+
| dedup Moid
477
+
| rename Tags{}.Key as Key, Tags{}.Value as Value
478
+
| eval zip=mvzip(Key,Value, ":") | mvexpand zip
479
+
|rex field=zip mode=sed "s/$/\"}/g"
480
+
|rex field=zip mode=sed "s/^/{\"Tags./g"
481
+
| rex field=zip mode=sed "s/:/\": \"/g"
482
+
| spath input=zip
483
+
| transaction Moid
484
+
| stats count by Tags.Intersight.LicenseTier
476
485
```
477
486
478
487
This approach returns all of the available tags as separate fields named `Tags.<Key>`. This certainly seems much more convenient to use as we can now search the value of specific tags. The Add-on also provides the above as a macro that can be used like this...
479
488
480
489
```SPL
481
-
index=* sourcetype=cisco:intersight:computePhysicalSummaries | `intersight_tags` | stats count by Tags.Intersight.LicenseTier
490
+
index=* sourcetype=cisco:intersight:*
491
+
| dedup Moid
492
+
| `intersight_tags`
493
+
| stats count by source, Tags.Intersight.LicenseTier
482
494
```
483
495
484
496
485
497
486
498
An alternate (and perhaps better) approach is using the [array2object](https://splunkbase.splunk.com/app/6161/) application that is available from Splunkbase.
A further look at the data will indicate that most of these are actually related to routine processing of user preferences and filtering those out gives a much more valuable list of audit logs with truncated Results values.
505
520
506
521
```SPL
507
-
index=* sourcetype=cisco:intersight:aaaAuditRecords Request=TRUNCATED MoType!=iam.UserPreference | rename MoDisplayNames.Name{} as name |table source, Email, Event, MoType, name
Everything else has been pruned of unhelpful data to the point that it shouldn't exceed the 10KB limit. If anything does exceed that 10KB, it will be logged...
@@ -520,7 +537,8 @@ The most useful thing will be the log file from the Add-on. This will be called
520
537
It should also be available via the following search...
Note that if you have multiple inputs (i.e. different Intersight accounts/appliances) configured in the Add-on, the log messages for all of the configured inputs will be interspersed. The Name from the 'Add Input' dialog above is used in the log to differentiate. In these logs, the name EXAMPLE was used.
0 commit comments