All Apps and Add-ons

How do I update this S.o.S - Splunk on Splunk search to also get the IP address of the host?

pb0543
Explorer

I am using this search from SOS to find out the version, cpu, etc... Does anyone know how can update this search to provide me the IP address of the host also?

index=_internal source=*metrics.log* group=tcpin_connections | regex hostname!="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version by sos_server

richgalloway
SplunkTrust
SplunkTrust

This works on my system.

index=_internal source="*/metrics.log" group=tcpin_connections | regex hostname!="d{1,3}.d{1,3}.d{1,3}.d{1,3}" | eval sos_server=hostname | stats latest(build) AS build latest(arch) AS cpu_arch latest(fwdType) AS forwarder_type latest(os) AS os_name latest(version) AS version latest(sourceIp) AS IP by sos_server
---
If this reply helps you, an upvote would be appreciated.
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!