https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571039#M10377 <P>Apologies, I was able to run this command in my environment and got results.&nbsp;<BR />index=_internal sourcetype=splunkd group=tcpin_connections (hostname="server1" OR hostname="server2")| stats latest(sourceIp) by hostname</P><P>&nbsp;</P><P>&nbsp;</P><P>Are you modifying the hostname variables to match your environment's servernames?</P> Thu, 14 Oct 2021 18:04:37 GMT Stefanie 2021-10-14T18:04:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571014#M10371 <P class="yiv7137020218MsoNormal"><SPAN>The following do not give the IP for the Splunk Enterprise Security (ES). Is there a better SPL to provide the list of all Splunk instances names, IPs. Specially the ES? Thanks a million in advance.</SPAN></P><P class="yiv7137020218MsoNormal">&nbsp;</P><P class="yiv7137020218MsoNormal"><SPAN>| rest /services/server/sysinfo splunk_server=local | table splunk_server</SPAN></P><P class="yiv7137020218MsoNormal"><SPAN>| rest /services/server/sysinfo splunk_server=local | table splunk_server | lookup dnslookup clienthost as splunk_server OUTPUT clienthost as ipAddress</SPAN></P><P class="yiv7137020218MsoNormal">&nbsp;</P> Thu, 14 Oct 2021 15:47:48 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571014#M10371 SamHTexas 2021-10-14T15:47:48Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571023#M10372 <P>You can try modifying this search to give you only the hostnames of your Splunk servers.</P><LI-CODE lang="markup">index=_internal sourcetype=splunkd group=tcpin_connections | stats latest(sourceIp) by hostname</LI-CODE> Thu, 14 Oct 2021 16:42:45 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571023#M10372 Stefanie 2021-10-14T16:42:45Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571027#M10373 <P>Thank u for your reply. Your SPL provides all the hosts in my environment that are many. How do I just look up the IPs of the 12 Splunk instances that I have like ES, SHs, License server etc. ? Thank u</P> Thu, 14 Oct 2021 17:02:05 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571027#M10373 SamHTexas 2021-10-14T17:02:05Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571032#M10374 <LI-CODE lang="markup">index=_internal sourcetype=splunkd group=tcpin_connections (hostname=server1 OR hostname=server2 OR hostname=server3) | stats latest(sourceIp) by hostname</LI-CODE><P>This is a basic way to add your Splunk server names.</P> Thu, 14 Oct 2021 17:27:51 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571032#M10374 Stefanie 2021-10-14T17:27:51Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571036#M10375 <P>Thank u very much for your message. I ran your last SPL on a Search head &amp; on my cluster master , no results were produced. Please advise.</P> Thu, 14 Oct 2021 17:49:16 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571036#M10375 SamHTexas 2021-10-14T17:49:16Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571039#M10377 <P>Apologies, I was able to run this command in my environment and got results.&nbsp;<BR />index=_internal sourcetype=splunkd group=tcpin_connections (hostname="server1" OR hostname="server2")| stats latest(sourceIp) by hostname</P><P>&nbsp;</P><P>&nbsp;</P><P>Are you modifying the hostname variables to match your environment's servernames?</P> Thu, 14 Oct 2021 18:04:37 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571039#M10377 Stefanie 2021-10-14T18:04:37Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571165#M10378 <P>Thanks again , I got no results. I even ran it with index=* and got no results.&nbsp;</P> Fri, 15 Oct 2021 20:18:34 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571165#M10378 SamHTexas 2021-10-15T20:18:34Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571223#M10379 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/228649">@SamHTexas</a>,</P><P>Please try the below SPL, it should show all your Splunk Infrastructure hostname, roles, and IP addresses. Unknown roles are being set as Heavy Forwarder.</P><LI-CODE lang="markup">index=_internal earliest=-24h source="*metrics.log" group=per_index_thruput series=_audit | stats count by host | fields host | append [ search index=_internal earliest=-15m source="*splunkd_access.log" uri_path="/services/search/jobs/export" | stats count by host | fields host | eval role="Search Head"] | append [ search index=_internal earliest=-15m source="*splunkd_access.log" uri_path="/servicesNS/-/SplunkEnterpriseSecuritySuite/admin/summarization" | stats count by host | fields host | eval role="Enterprise Security"] | append [| rest /services/search/distributed/peers | fields host title | rex field=title "(?&lt;ip&gt;[^:]+)" | table host ip] | append [ search earliest=-15m index=_internal source="*metrics.log" group=tcpin_connections destPort=9997 | stats count by host | fields host | eval role="Indexer"] | append [ search earliest=-120m index=_internal source="*metrics.log" name=instance TERM(shc_deployer) | stats count by host | fields host | eval role="SHCluster Deployer"] | append [ search earliest=-15m index=_internal source="*metrics.log" group=shclustering | stats count by host | fields host | eval role="SHCluster Member"] | append [ search earliest=-15m index=_internal source="*health.log" node_type=category node_path="splunkd.search_head_clustering.shc_captain" | stats latest(host) as host | eval role="SHCluster Captain"] | append [ search earliest=-15m index=_internal source="*metrics.log" group=cmmaster_* | stats count by host | fields host | eval role="Cluster Master"] | append [ search earliest=-15m index=_internal source="*metrics.log" group=deploy-server name=clients nTotal&gt;0 | stats count by host | fields host | eval role="Deployment Server"] | append [ search earliest=-15m index=_internal LicenseUsage sourcetype=splunkd type=Usage | stats latest(host) as host | eval role="License Master"] | append [ search index=_internal source="*metrics.log" group=tcpin_connections fwdType=full | stats latest(sourceIp) as ip by hostname | rename hostname as host] | stats values(role) as role values(ip) as ip by host | fillnull value="Heavy Forwarder" role | sort role</LI-CODE><P>&nbsp;</P> Sat, 16 Oct 2021 21:39:46 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-do-I-lookup-the-Name-amp-IP-addresses-of-my-Splunk-instances/m-p/571223#M10379 scelikok 2021-10-16T21:39:46Z