topic Re: How to get the host IP address from the search? in Getting Data In

How to get the host IP address from the search?

abassydo2018 — Wed, 30 May 2018 16:16:15 GMT

Hello,

I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise

index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip

source↕

 host↕

/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt



Re: How to get the host IP address from the search?

somesoni2 — Wed, 30 May 2018 16:27:18 GMT

Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).

Re: How to get the host IP address from the search?

abassydo2018 — Wed, 30 May 2018 16:38:17 GMT

Yes, I think so.

2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199

host = gtmwalldmzsp1

source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log

sourcetype = syslog

Re: How to get the host IP address from the search?

dflodstrom — Wed, 30 May 2018 17:59:15 GMT

The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip If you're not seing any values in host_ip perhaps the field has a different name.

Re: How to get the host IP address from the search?

jodyfsu — Wed, 30 May 2018 18:11:46 GMT

I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?.[^\s]+)"
| table source host host_ip

Re: How to get the host IP address from the search?

abassydo2018 — Tue, 29 Sep 2020 19:47:16 GMT

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

Re: How to get the host IP address from the search?

niketn — Wed, 30 May 2018 19:07:34 GMT

@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!

Re: How to get the host IP address from the search?

abassydo2018 — Wed, 30 May 2018 19:12:11 GMT

Thank you NiketNilay