Getting Data In

How to export IPs of all hosts logging to a specific index to a text file, and can we choose where this file is exported to?

sdorsey15
New Member

Hello all - hoping this isn't too difficult.

I am looking to export the IP addresses of all hosts logging to a specific index to a text file. I have this:

| metadata type=hosts index=[example index] | stats count by host

But this shows the name of the host. When I manually look through the logs, I don't see the source IP as a field. Just the hostname configured in the outputs.conf of each machine.

Then the second part is exporting them to a text file; is this accurate?

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

I believe this will export it to $SPLUNK_HOME/var/run/splunk/results.txt. Is it possible to change where it exports the txt file? I would like the text file placed in the Splunk web dir so the text file is hosted and can be queried by other devices.

0 Karma
1 Solution

jplumsdaine22
Influencer

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

View solution in original post

0 Karma

jplumsdaine22
Influencer

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

0 Karma

sdorsey15
New Member

Thanks! I ran this search but the resulting text file just contains one line that says "clientip".

I verified |metadata type=hosts index= correctly lists all of the hosts reporting to that index.

0 Karma

jplumsdaine22
Influencer

I may have done the lookup incorrectly

Make sure you are getting values for

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | table host clientip

If the clientip field is blank for all your hosts, have you tried resolving the hostname manually on your server?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You cant change the location of the output. You would need to cron and script a move of that file somewhere...

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...