yorokobi · June 19, 2019 12:15
diff --git a/gistfile1.txt b/gistfile1.txt
 index=_internal source="*metrics.lo*" group=tcpin_connections earliest=-7d latest=now 
 | eval sourceHost = if( isnull(hostname), sourceHost, hostname ) 
 | dedup sourceHost 
 | eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder") 
 | eval build = if( isnull(build), "N/A", build ) 
 | eval version = if( isnull(version), "pre 4.2", version ) 
 | eval guid = if( isnull(guid), sourceHost, guid ) 
 | eval os = if( isnull(os), "N/A", os ) 
 | eval arch = if( isnull(arch), "N/A", arch ) 
 | rex field=guid mode=sed "s/-//g" 
 | eval guid = lower(guid) 
 | rex field=sourceHost "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)" 
 | table connectionType sourceHost sourceDomain sourceIp build version os arch guid 
 | outputlookup createinapp=t splunk_forwarders.csv
	index=_internal source="metrics.lo" group=tcpin_connections earliest=-7d latest=now
	\| eval sourceHost = if( isnull(hostname), sourceHost, hostname )
	\| dedup sourceHost
	\| eval connectionType=case(fwdType=="uf","Universal Forwarder", fwdType=="lwf", "Lightweight Forwarder",fwdType=="full", "Heavy Forwarder", connectionType=="cooked" or connectionType=="cookedSSL","Splunk forwarder", connectionType=="raw" or connectionType=="rawSSL","Legacy Forwarder")
	\| eval build = if( isnull(build), "N/A", build )
	\| eval version = if( isnull(version), "pre 4.2", version )
	\| eval guid = if( isnull(guid), sourceHost, guid )
	\| eval os = if( isnull(os), "N/A", os )
	\| eval arch = if( isnull(arch), "N/A", arch )
	\| rex field=guid mode=sed "s/-//g"
	\| eval guid = lower(guid)
	\| rex field=sourceHost "(?<sourceHost>[^\.]+)\.(?<sourceDomain>.+)"
	\| table connectionType sourceHost sourceDomain sourceIp build version os arch guid
	\| outputlookup createinapp=t splunk_forwarders.csv