topic Determine Source IP of log entry in Knowledge Management

Determine Source IP of log entry

jwilson_clover — Mon, 07 Mar 2016 22:35:56 GMT

I have log entries that are appearing in Splunk that are being labeled as coming from a specific host, but that host isn't even turned on.

How can I view the origin IP of a log entry regardless of the host label?

Re: Determine Source IP of log entry

masonmorales — Mon, 07 Mar 2016 23:22:38 GMT

This is not possible. The only metadata associated to any particular event (by default) is: host, sourcetype, source, and index. You could create a new indexed field extraction to identify the origin IP, or apply a transformation to the host field, but you have to configure it, and it will only be applied to future events.

You might also consider setting the host field to the desired value(s) in inputs.conf for each input stanza on your forwarder(s).

See:
http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
http://docs.splunk.com/Documentation/Splunk/6.0/Data/Overridedefaulthostassignments

Re: Determine Source IP of log entry

jwilson_clover — Tue, 08 Mar 2016 00:20:18 GMT

All the hosts have that set, yet this mysterious entry keeps appearing.