topic Re: How can I use iplocation to include the IP in my alert search results for account lockouts? in Splunk Search

How can I use iplocation to include the IP in my alert search results for account lockouts?

Gayathirik — Wed, 03 Aug 2016 08:16:30 GMT

I have a search to alert on account lockouts:

index=winsec EventCodeDescription="A user account was locked out"|dedup user| stats count as total by _time host user

I need to get the "IP" as well when the account is locked out. Could you please help me on getting the IP address of the system along with this event alert search?

Regards,
Gayathiri K

Re: How can I use iplocation to include the IP in my alert search results for account lockouts?

hliakathali_spl — Tue, 29 Sep 2020 10:27:47 GMT

You would have to use some DNSlookup type of things to get IP address from host name. And you can use clientip, src_ip, dns_ip, server_ip..Etc according to your Splunk naming conversion you have to use the search strings. See the props.conf file for host and ip

Try to use this query,

index=_audit action="login attempt" info="succeeded"| head 20 | iplocation clientip | table clientip, user, _time

Re: How can I use iplocation to include the IP in my alert search results for account lockouts?

sundareshr — Wed, 03 Aug 2016 19:48:26 GMT

Try this

index=winsec EventCodeDescription="A user account was locked out"| stats count as total by _time host user Source_Network_Address

Re: How can I use iplocation to include the IP in my alert search results for account lockouts?

Gayathirik — Thu, 04 Aug 2016 08:49:27 GMT

This is not working..Could you please tell me some other possible way to find it out?

Re: How can I use iplocation to include the IP in my alert search results for account lockouts?

Gayathirik — Thu, 04 Aug 2016 13:36:04 GMT

Excellent Harish!!! This really works!!!!