topic Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname? in Splunk Search

How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

di2esysadmin — Tue, 19 Aug 2014 18:53:57 GMT

I suspect that multiple VMs (as yet unconfigured in our environment) are getting lumped together in the index under a single hostname ("unconfigured-win2008r2"). I'd like to verify this by finding the IP addresses that these events are coming from.

How do I do this?

thanks.

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

richgalloway — Tue, 19 Aug 2014 19:07:55 GMT

You'll need to find the field(s) in your index that contain IP addresses. One way to do that is

<your search> | fields - _* | table *

This will list all of the fields available to you (except _raw, _time, etc.) and their values. Look through the table for meaningful values and then add the fields to your query.

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

somesoni2 — Tue, 19 Aug 2014 19:29:39 GMT

Assuming that those VMs are hosting forwarder to send the data, they should be sending heartbeat to Splunk Indexer, which contains IP. Try this

index=_internal group="tcpin_connections" | table hostname sourceHost | dedup  hostname sourceHost

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

di2esysadmin — Tue, 19 Aug 2014 20:26:27 GMT

This is interesting. The hostname I'm suspicious of doesn't even appear in the resultant table. Why would that be?

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

BP9906 — Mon, 28 Sep 2020 17:22:05 GMT

I have a search labeled for this reason.
Splunk - Multiple machine reporting as same host (runs every 60m -1h@h - now)

I found that the RHEL kickstart with our splunkforwarder rpm always puts localhost in server.conf and inputs.conf so I have to go change it in etc/system/local. Alternatively, we get systems folks who duplicate servers (virtual), change server name, and dont tell me. This search handles all of the above.

index=internal sourcetype=splunkd hostname="*" | rex "(?i)hostname=(?P[\w-]+)" | stats count values(sourceIp) dc(sourceIp) as dup dc(guid) as dup_guid by agentname| where (agentname="localhost" OR dup>1 OR dup_guid>1) | search NOT (agentname="server1" OR agentname="server2")

server1 and server2 are known servers that have 2 or more IPs. This allows me to ignore servers with these names.

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

di2esysadmin — Tue, 19 Aug 2014 20:43:47 GMT

For these apparently windows hosts, my query didn't include any IP addresses. Actually I tried this with a handful of centos hosts too. No IP addresses either.

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

somesoni2 — Tue, 19 Aug 2014 20:54:33 GMT

I believe the hostname may not be available in all events (sometime just the IP is logged). Try these and see if you can get host name in any of the event.

index=internal group=tcp* OR group=per* OR group=ds_* | table *host* *Host* *ip* *Ip* *IP*

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

ppeterson — Thu, 13 Oct 2016 13:20:11 GMT

Did anyone get this regex to work?

Re: How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

BP9906 — Thu, 13 Oct 2016 13:43:13 GMT

The above search I posted resolved my issue.