Example Splunk Queries
This section provides sample queries to help you get started writing your own Splunk queries using Illumio data.
Workload Report Query
This is a fairly complicated query, but you can use it to generate a workload reports that shows the labels associated with each workload. You can export the results to a .csv file for reporting.
`illumio_get_index`
sourcetype="illumio:pce:metadata"
(illumio_type="illumio:pce:workload") | search
"agent.href"="*" fqdn="*" | rex field=href
"orgs\/\d+\/workloads\/(?<workload_uuid>\S+)" | fields
labels{}.href uuid hostname os_id public_ip agent.config.mode
agent.config.log_traffic agent.status.status workload_uuid | mvexpand
labels{}.href | rename labels{}.href as href | lookup
illumio_workload_mapping_lookup href workload_uuid OUTPUTNEW type label | eval
{type}_label=label | stats values(*) as * by workload_uuid | table hostname,
public_ip, os_id, agent.config.mode, agent.config.log_traffic,
agent.status.status, role_label, app_label, env_label, loc_labelTop Events Query
`illumio_get_index` sourcetype="illumio:pce" | top event_type
Top Outgoing Connections Query
sourcetype="illumio:pce:collector" | search dir=O | top dst_ip
Top Incoming Connections Query
sourcetype="illumio:pce:collector" | search dir=I | top src_ip
Most Active Machines
sourcetype="illumio:pce:collector" | search dir=I | top dst_ip
Top Source Ports
sourcetype="illumio:pce:collector" | top dest_port
Top Machines with Connections in a Given Network
This example query returns the top machines with connections in 10.0.0.0/8:
sourcetype="illumio:pce:collector" | search dst_ip=10.0.0.0/8 | top dst_ip
Geolocate Destination IPs
The following query plots destination IPs on a map:
sourcetype="illumio:pce:collector" | search dst_ip!=10.0.0.0/8 | iplocation dst_ip | geostats count latfield=lat longfield=lon