#A script for grabbing the list of Splunk clients and comparing it to a list of

1. #A script for grabbing the list of Splunk clients and comparing it to a list of active P1s.
2. cls
3. #Making sure we have the folders we need
4. If (!(test-path "\\emeadkhovsand01\logs\ssn\splunksearch")) {new-item "\\emeadkhovsand01\logs\ssn\splunksearch" -type Directory}
5. If (!(test-path "\\emeadkhovsand01\logs\ssn\splunksearch\Missingtmp")) {new-item "\\emeadkhovsand01\logs\ssn\splunksearch\Missingtmp" -type Directory}
6. write-host "Purging old files"
7. If (test-path "\\emeadkhovsand01\logs\ssn\splunksearch\missingtmp") {write-host "Clearing Missingtmp"; Remove-Item \\emeadkhovsand01\logs\ssn\splunksearch\missingtmp\*}
8. If (test-path "\\emeadkhovsand01\logs\ssn\splunksearch\missing.txt") {write-host "Clearing Missing.txt"; Remove-Item \\emeadkhovsand01\logs\ssn\splunksearch\missing.txt}
9.  
10.  
11.  
12. write-host "Grabbing the list of Splunk clients"
13. $secpasswd = ConvertTo-SecureString "Password" -AsPlainText -Force
14. $mycreds = New-Object System.Management.Automation.PSCredential ("username", $secpasswd)
15. #dispatching the search
16. $splunkdispatch = invoke-webrequest "https://url-to-splunk-server:8089/services/saved/searches/psrestpos/dispatch?dispatch.now&trigger_actions=1" -method POST -credential $mycreds -Proxy "Http://webproxy:8080" -ProxyUseDefaultCredentials
17. #find the SID
18. $SIDRegex = "\d{9,}_\d{5,}"
19. $SID = select-string -Pattern $SIDRegex -InputObject $splunkdispatch.content | % { $_.Matches }
20.  
21. write-host "`rSaved search has been dispatched, waiting for search to finish and continuing in  5" -NoNewLine; start-sleep -s 1
22. write-host "`rSaved search has been dispatched, waiting for search to finish and continuing in  4" -NoNewLine; start-sleep -s 1
23. write-host "`rSaved search has been dispatched, waiting for search to finish and continuing in  3" -NoNewLine; start-sleep -s 1
24. write-host "`rSaved search has been dispatched, waiting for search to finish and continuing in  2" -NoNewLine; start-sleep -s 1
25. write-host "`rSaved search has been dispatched, waiting for search to finish and continuing in  1"; start-sleep -s 1
26.  
27. $splunkresults = invoke-webrequest "https://url-to-splunk-server:8089/servicesNS/nobody/search/search/jobs/username__username__search__psrestpos_at_$SID/results?output_mode=csv&count=0"-credential $mycreds -Proxy "Http://webproxy:8080" -ProxyUseDefaultCredentials
28.  
29. #Strip the list of anything but the hostnames
30. $regex = "PRD-[a-zA-Z]{2}0\d{3}-P1"
31. $splunkhosts = select-string -Pattern $regex -InputObject $splunkresults.content -AllMatches | % { $_.Matches } | % { $_.Value.ToUpper() } | sort-object $_.Value
32. $splunkresults.content > splunkhosts.txt
33. $splunkcount = $Splunkhosts.count
34. write-host "$splunkcount hosts found"
35. write-host "Searching the AD for P1s that have been active within the past 21 days"
36. $d = ((Get-Date).ticks-18144000000000)
37. $d2 = [DateTime]$d
38. $strFilter = "(&(objectCategory=Computer)(Name=PRD-*P1)(LastLogon<=$d))"
39. $objSearcher = New-Object System.DirectoryServices.DirectorySearcher
40. $objSearcher.SearchRoot = $objDomain
41. $SR = "Domain"
42. $objSearcher.PageSize = 1000
43. $objSearcher.Filter = $strFilter
44. $objSearcher.SearchScope = "Subtree"
45. $colProplist = "dnshostname"
46. foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
47.  
48. $colResults = $objSearcher.FindAll()
49. $hostlist = select-string -Pattern $regex -InputObject $colResults.properties.dnshostname -AllMatches | % { $_.Matches } | % { $_.Value.ToUpper() } | select-object -unique | sort-object $_.Value
50. write-host "AD Search completed"
51.  
52. Write-host "Let's see who's missing"
53. $Missingtmp = $hostlist | ?{$splunkhosts -notcontains $_}
54. #Strip the list of anything but hostnames
55. $Missing = select-string -Pattern $regex -InputObject $Missingtmp -AllMatches | % { $_.Matches } | % { $_.Value.ToUpper() } | select-object -unique | sort-object $_.Value
56.  
57. #We only need the ones that respond to ping
58. write-host "List of missing sessions generated, pinging now."
59. write-host "Captain Ramius: Re-verify our range to target... one ping only."
60. write-host "Capt. Vasili Borodin: Captain, I - I - I just..."
61. write-host "Captain Ramius: Give me a ping, Vasili. One ping only, please."
62. write-host "Capt. Vasili Borodin: Aye, Captain."
63.  
64. Workflow Ramius
65. {
66. param($targets)
67.     Foreach -Parallel ($target in $targets)
68.     {
69.         If(Test-Connection -Cn "$target" -Count 1 -TimeToLive 120 -quiet)
70.         {Add-Content -path "\\emeadkhovsand01\logs\ssn\splunksearch\Missingtmp\$target.txt" -value $target}
71.     }
72. }    
73. Ramius $Missing
74. $PingedTargets = dir \\emeadkhovsand01\logs\ssn\splunksearch\Missingtmp\* -include *.txt -rec | gc
75. select-string -Pattern $regex -InputObject $PingedTargets -AllMatches | % { $_.Matches } | % { $_.Value.ToUpper() } | select-object -unique | sort-object $_.Value > "\\emeadkhovsand01\logs\ssn\splunksearch\missing.txt"
76. $Count = 0
77. foreach ($counter in $PingedTargets)
78.     {
79.     $Count = $Count+1
80.     }
81. write-host "$Count missing Splunk forwarders, deploying them now."
82. invoke-expression "\\emeadkhovsand01\scripts\ssn\psmagi\bulk_noconfirm.ps1 \\emeadkhovsand01\logs\ssn\splunksearch\missing.txt \\emeadkhovsand01\scripts\production\splunkfwd.vbs 0 120 MissingSplunks D"