topic Re: How do I check any record of a ip address? in Splunk Search

How do I check any record of a ip address?

tonyfer — Thu, 04 May 2023 15:54:26 GMT

index=* "23.216.147.64"

Above is my filter, I'm trying to get all the records of that IP address; is this filter correct? please help

thanks

tony

Re: How do I check any record of a ip address?

SanjayReddy — Fri, 05 May 2023 05:29:49 GMT

Hi @tonyfer

looks okay, you can try adding * before and after ip adress

"*23.216.147.64*"

However you are trying to use index=*, which genric and it consume lot of time and resources.

try to use specfic index name and if ip address you are looking , present in any of field, please use field name aa well

ex:
index=indexA <field_name>="*23.216.147.64*"

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated

Re: How do I check any record of a ip address?

gcusello — Fri, 05 May 2023 05:58:36 GMT

Hi @tonyfer,

in general, your solution is correct: adding a string (as "23.216.147.64") to your search, you perform a full text search on your logs, but it isn't so performant.

You could analyze your data and understand if the IPs to search are in a limited number of fields, in this case, you could change your main search in this way:

index=* (field1="23.216.147.64" OR field2="23.216.147.64" OR field3="23.216.147.64")

then you should check if, in the above fields, there's only the IP or something additional (e.g. "\\23.216.147.64"), in this case, you could also use the solution from @SanjayReddy .

Ciao.

Giuseppe

Re: How do I check any record of a ip address?

tonyfer — Thu, 11 May 2023 16:30:35 GMT

Sanjay, I've all the possible filters and still not manage to find details about the IP

index=* sourcetype="suricata" "*23.216.147.64*"
index=* sourcetype="fortigate_utm" "*23.216.147.64*"
index=* sourcetype="fortigate_traffic" "*23.216.147.64*"
index=* sourcetype="fortigate_event" "*23.216.147.64*"
index=* sourcetype="firewall" "*23.216.147.64*"
index=* sourcetype="sysmon" "*23.216.147.64*"
index=* sourcetype="xmlwineventlog" "*23.216.147.64*"
index=* sourcetype="xmlwineventlog:microsoft-windows-sysmon/operation" "*23.216.147.64*"
index=* sourcetype="WinEventLog:Security" "*23.216.147.64*"

can you please help me what I could be doing wrong ?

Thank

tony

Re: How do I check any record of a ip address?

tonyfer — Thu, 11 May 2023 16:32:33 GMT

I've tried all the below solutions and still no luck

Tony

Re: How do I check any record of a ip address?

yuanliu — Fri, 12 May 2023 05:23:55 GMT

Without an explanation of raw data, preferably with examples (anonymize as needed), "not manage to find details about the IP" and "no luck" conveys practically nothing. Why do you assume that 23.216.147.64 exists in your data? What "details" do you expect to find? What is the actual result that is absent of such details? Volunteers already know that the filter did not give you desired results. Otherwise you wouldn't ask the original question.