All Apps and Add-ons

Does the Splunk Add-on for Microsoft Windows have a way to poll the IP address of Windows universal forwarders?

Path Finder

I would like to get the IP address of my Windows universal forwarders.

[WinHostMon://NetworkAdapter] doesn't give an IP, just MAC address.

[WinNetMon://inbound] and [WinNetMon://outbound] give an IP address, but it is also very noisy.

Does the Splunk Add-on for Microsoft Windows have a way to poll the UF IP using an interval?

0 Karma

Path Finder

I'm looking for something similar to this, but the solution given won't work. I need to know the IP address list associated with each MAC address on my servers. For unix, the interfaces type provides a nice table that works. Anything with this capability in windows?

0 Karma

Explorer

I think you could write and deploy a simple scripted input to just run "ipconfig /all" and index the results. May take some scripting to get it into a nicer format, but I honestly don't think this capability already exists in the Windows TA.

0 Karma

SplunkTrust
SplunkTrust

I don't think the answer you are after is where you are looking. However, this information IS in Splunk:

index=_internal source=*metrics.log group=tcpin_connections| stats count(_time) AS checkins, latest(_time) AS last_checkin by sourceHost, sourceIp

Obviously, that's just a sample or example - I don't know the purpose you want to put it to or how you want to use it so I just guessed as some small but reasonable search to show. Hopefully this will help you get started. Also, if you search for something like "splunk list forwarders" you'll get more answers, questions and blog entries on this topic.

0 Karma

Path Finder

Yea, I suppose that would somewhat work. I was hoping to use the Splunk for Windows App to get all network adapters information in full. IP and MAC and DNS, etc.

0 Karma

SplunkTrust
SplunkTrust

Sorry, I think I distracted myself with the "app for windows" portion. 😞

There should be both in the events themselves. Check, for instance, src_ip. src_ip, src_domain and src_nt_host are all available which tells you a lot.

Field names may vary - do the "show more fields" (because there's probably a LOT more available than are showing) and in there you can search for "ip" and it should tell you what fields are available for use.

0 Karma

Path Finder

Hmm, I'm not seeing src_ip and src_nt_host.

These are the inputs that I have enabled:

###### OS Logs ######
[WinEventLog://Security]
disabled = 0

[WinEventLog://Application]
disabled = 0

[WinEventLog://System]
disabled = 0

###### Host monitoring ######
[WinHostMon://NetworkAdapter]
disabled = 0

###### Network monitoring ######
[WinNetMon://inbound]
disabled = 0

[WinNetMon://outbound]
disabled = 0

Any ideas?

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!