- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all - hoping this isn't too difficult.
I am looking to export the IP addresses of all hosts logging to a specific index to a text file. I have this:
| metadata type=hosts index=[example index] | stats count by host
But this shows the name of the host. When I manually look through the logs, I don't see the source IP as a field. Just the hostname configured in the outputs.conf of each machine.
Then the second part is exporting them to a text file; is this accurate?
outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt
I believe this will export it to $SPLUNK_HOME/var/run/splunk/results.txt
. Is it possible to change where it exports the txt file? I would like the text file placed in the Splunk web dir so the text file is hosted and can be queried by other devices.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/92791/9279190d55c073f2639a31698d0c963628a549ba" alt="jplumsdaine22 jplumsdaine22"
You can get the ip addresses into a file with just the following search
|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv
The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/92791/9279190d55c073f2639a31698d0c963628a549ba" alt="jplumsdaine22 jplumsdaine22"
You can get the ip addresses into a file with just the following search
|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv
The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! I ran this search but the resulting text file just contains one line that says "clientip".
I verified |metadata type=hosts index= correctly lists all of the hosts reporting to that index.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/92791/9279190d55c073f2639a31698d0c963628a549ba" alt="jplumsdaine22 jplumsdaine22"
I may have done the lookup incorrectly
Make sure you are getting values for
|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | table host clientip
If the clientip field is blank for all your hosts, have you tried resolving the hostname manually on your server?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/f2de6/f2de656edf2dff4f6b932eac53679fde0de4f2e7" alt="esix_splunk esix_splunk"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
You cant change the location of the output. You would need to cron and script a move of that file somewhere...
data:image/s3,"s3://crabby-images/d7f73/d7f73632dd731f9b3dd280d9d048df61ba67932c" alt=""