topic splunk internal logs, precisions on the "clientip" field in Splunk Search

splunk internal logs, precisions on the "clientip" field

mabonjean — Wed, 26 Dec 2018 13:19:48 GMT

Hi,

I want to list all Deployment client on a dashboard in my Search Head with the following request:
index=_internal host="my Deployment Server" | dedup clientip |table clientip [...]

In the result, I have the list of my Deployment Client, The Deployment Server, localhost loop and serveral proxy IP.

The fowarding management of theses proxies aren't in my cluster then it's my Deployment Server which manage them. They are fully independant of my client pool and I don't collect their logs.
In the fowarding management menu, I don't see these clients.

What exactly contains the fields "clientip" of Splunk internal logs ?
And why I see theses proxy address in my Deployment Server clientip ? any idea ?

Thank you.
Best regards

Re: splunk internal logs, precisions on the "clientip" field

richgalloway — Wed, 26 Dec 2018 15:45:06 GMT

To see where the client IP addresses are coming from, try this search.

index=_internal TERM(clientip address goes here)

The results returned will show the host and source of the events as well as details of the event that sent the IP address.

Re: splunk internal logs, precisions on the "clientip" field

mabonjean — Wed, 26 Dec 2018 16:06:55 GMT

I don't a forgotten elements in my question.
I select the Deployment Server as host in my request.

When I list all clientip, I have more client than I have in the Deployment Server.

Ma main question is : what is "clientip" ? Which data does it contains ?

Re: splunk internal logs, precisions on the "clientip" field

richgalloway — Wed, 26 Dec 2018 18:50:56 GMT

When you run the query in my original comment you'll get events containing the client IP addresses. Close examination of the events should tell you why they're showing up.

Re: splunk internal logs, precisions on the "clientip" field

p_gurav — Thu, 27 Dec 2018 05:56:06 GMT

This may help:

index=_internal host=<yourDS>  POST /services/broker/phonehome/connection | 
 rex field=uri "_(?<fwd_name>[^_]+)_(?<fwd_id>[-0-9A-Z]+)$" | 
 stats latest(eval(now()-_time)) as Latest earliest(eval(now()-_time)) as Earliest by fwd_name fwd_id clientip |
 rename clientip as fwd_ip

Re: splunk internal logs, precisions on the "clientip" field

mabonjean — Thu, 27 Dec 2018 09:23:20 GMT

Thanks @p_gurav,
Your request is really helpfull.
With it, I can easily see what I want.

Re: splunk internal logs, precisions on the "clientip" field

p_gurav — Thu, 27 Dec 2018 09:48:35 GMT

Great!! Please accept the answer if its helpful!!