topic Re: How do I find internal and external ip addresses of splunk universal forwarder? in Splunk Search

How do I find internal and external ip addresses of splunk universal forwarder?

snakhuda — Thu, 19 Jan 2023 18:27:08 GMT

Hi there,

I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!

For external IP:

index=_internal group=tcpin_connections hostname=*

This will provide me sourceIp (external ip)

For Internal IP:

index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string

Is this the correct approach? I was hoping for a single search to retrieve both IPs.

Re: How do I find internal and external ip addresses of splunk universal forwarder?

yeahnah — Fri, 20 Jan 2023 01:29:55 GMT

Hi @snakhuda

I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

Re: How do I find internal and external ip addresses of splunk universal forwarder?

gcusello — Fri, 20 Jan 2023 07:10:14 GMT

Hi @snakhuda,

running this search you can have all the information about connected clients, also IP:

| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clients

Ciao.

Giuseppe

Re: How do I find internal and external ip addresses of splunk universal forwarder?

snakhuda — Fri, 20 Jan 2023 23:17:56 GMT

Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!

Thanks!!

Re: How do I find internal and external ip addresses of splunk universal forwarder?

gcusello — Sat, 21 Jan 2023 06:38:38 GMT

Hi @snakhuda,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Re: How do I find internal and external ip addresses of splunk universal forwarder?

BTrust — Tue, 03 Dec 2024 10:31:01 GMT

Hi @yeahnah,

Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP.

The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available.

Till now I only see one way, which is scripted input and/or an existing app that collects this info.

Your search is still good 😉 it just don't provide what's requested.

Re: How do I find internal and external ip addresses of splunk universal forwarder?

PickleRick — Tue, 03 Dec 2024 11:34:52 GMT

To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.

Re: How do I find internal and external ip addresses of splunk universal forwarder?

BTrust — Tue, 03 Dec 2024 11:42:10 GMT

Hi @PickleRick ,

I agree to a certain extend.

The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?

Re: How do I find internal and external ip addresses of splunk universal forwarder?

PickleRick — Tue, 03 Dec 2024 12:41:58 GMT

The question was very vague and ambiguous.

Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 interface and has a default route via 192.168.10.1. It sends its data to an indexer located at 10.1.2.3/24 but the connection is SNAT-ed so it appears to the indexer as coming from 10.20.1.1.

What is internal and external in this case? It is _not_ straightforward. I could throw in an intermediate forwarder to this mix and possibly some HTTP proxy.

"Internal" and "external" mean different things depending on where you look from.

Re: How do I find internal and external ip addresses of splunk universal forwarder?

BTrust — Tue, 03 Dec 2024 12:58:00 GMT

As you say: "is _not_ straightforward", and I agree, why I think the "solution" here is vague, and ought to be refined

Re: How do I find internal and external ip addresses of splunk universal forwarder?

seth_a_zuykn-io — Tue, 07 Oct 2025 17:54:49 GMT

@snakhuda We built this for the external public IP portion if you need it still:
https://zuykn.io/apps/splunk
https://github.com/zuykn/TA-get_public_ip

Get Public IP Add-on
━━━━━━━━━━━

A lightweight, cross-platform add-on that collects your Splunk Forwarder’s external public IPv4 address using native system commands only — implemented in Windows Batch (.bat) and POSIX sh (Linux / Unix / macOS).

━━━━━━━━━━━
⚙️Highlights
• HTTPS or DNS lookup with intelligent fallback
• No dependencies — built-in system tools only
• Auto-selects commands:
　↳ Windows → curl, certutil, bitsadmin, nslookup
　↳ Linux / macOS → curl, wget, dig, nslookup
• Works with any IPv4-returning site — checkip.amazonaws.com, ipinfo.io/ip, icanhazip.com, etc.

Let me know if you have any questions!
- Seth

Re: How do I find internal and external ip addresses of splunk universal forwarder?

BTrust — Tue, 07 Oct 2025 20:08:58 GMT

Hi @seth_a_zuykn-io ,

Thanks a lot, this was indeed an interesting read and useful input, most appreciated!

/Bjarbe

Re: How do I find internal and external ip addresses of splunk universal forwarder?

seth_a_zuykn-io — Tue, 14 Oct 2025 17:05:28 GMT

No prob! We just updated it to v1.1.0 to support IPv6 too. So you can index ipv4 and ipv6 automatically or choose which one you want.

Re: How do I find internal and external ip addresses of splunk universal forwarder?

seth_a_zuykn-io — Mon, 17 Nov 2025 15:30:06 GMT

FYI, it's on official Splunkbase now:
https://splunkbase.splunk.com/app/8107