topic Re: How to replace hostname with IP in result? in Splunk Search

How to replace hostname with IP in result?

aojie654 — Thu, 11 Jul 2019 05:18:36 GMT

Hi, splunkers:

I have a puzzle that I need to show host IP in result but not the hostname. E.g. after I ran the search query index=* error | stats count by host the result looks like following:

host    count
aj-ins5577  229
sja_v_jp0_236   4

But I need to show the IP in the result bu not hostname just like:

host    count
10.6.10.132    229
10.6.11.10    4

And I have no lookup table on my server. So is there any method to get ip in splunk?
I found a REST way to list all forwarders IP in search like run | rest /services/deployment/server/clients | table hostname, ip and the result is:

hostname    ip
aj-ins5577  10.6.10.132
sja_v_jp0_236   10.6.11.10
sja_b_us0_139   10.6.10.111

I think maybe I can append a output command to export the result then I can use the lookup table to display the IP in result. But there are obviously a disadvantage is there is only the forwarders IP in it but no indexer and search heads in it.

Is there any good ideas? Thanks!

Best regards,
Shengjyer Ao

Re: How to replace hostname with IP in result?

woodcock — Thu, 11 Jul 2019 05:22:52 GMT

The easiest way is just to do a DNS lookup by adding this to your search:

... | lookup dnslookup clientip AS host

Re: How to replace hostname with IP in result?

woodcock — Thu, 11 Jul 2019 05:25:41 GMT

Like this:

<Your first search here>
| eval which="main"
| appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host]
| stats values(*) AS * BY host
| where which=="main"

Re: How to replace hostname with IP in result?

aojie654 — Thu, 11 Jul 2019 05:55:13 GMT

Hi, woodcock:

I used the search query following you like this:
index=_internal error | stats count by host | appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host ] | stats values(*) AS * BY host | eval host=if(isnotnull(ip), ip, host) | fields host count
And the result is looks like this:
host count
10.6.10.132 12834
aojie654-splunk-aab4 2806
sja-q-sh0-110 80
10.6.11.10 14
10.6.10.111 10
It looks like the fowarders result is good and the indexers and search head is still display their hostname, any idea to replace their hostname with IP?

Re: How to replace hostname with IP in result?

woodcock — Thu, 11 Jul 2019 06:36:49 GMT

Like this:

index=_internal error 
| stats count by host 
| append
[|rest/services/deployment/server/clients 
| table hostname ip 
| rename hostname As host] 
| stats values(*) AS * BY host
| eval host=coalesce(ip, host)
| fields host count

Re: How to replace hostname with IP in result?

woodcock — Thu, 11 Jul 2019 06:37:35 GMT

And if you still have problems, SEE MY OTHER ANSWER!

Re: How to replace hostname with IP in result?

aojie654 — Thu, 11 Jul 2019 06:44:42 GMT

I'll using python to replace hostname with IP and thanks a lot for you help ^_^

Re: How to replace hostname with IP in result?

woodcock — Thu, 11 Jul 2019 14:44:26 GMT

Then why did you ask a question that has absolutely nothing to do with what you really are doing and need?