Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to export IPs of all hosts logging to a specific index to a text file, and can we choose where this file is exported to?

sdorsey15
New Member
‎12-09-2015 06:14 PM

Hello all - hoping this isn't too difficult.

I am looking to export the IP addresses of all hosts logging to a specific index to a text file. I have this:

| metadata type=hosts index=[example index] | stats count by host

But this shows the name of the host. When I manually look through the logs, I don't see the source IP as a field. Just the hostname configured in the outputs.conf of each machine.

Then the second part is exporting them to a text file; is this accurate? 

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

I believe this will export it to $SPLUNK_HOME/var/run/splunk/results.txt. Is it possible to change where it exports the txt file? I would like the text file placed in the Splunk web dir so the text file is hosted and can be queried by other devices.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎12-11-2015 02:02 AM

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎12-11-2015 02:02 AM

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

0 Karma
Reply
Solved! Jump to solution

sdorsey15
New Member
‎12-11-2015 07:15 AM

Thanks! I ran this search but the resulting text file just contains one line that says "clientip".

I verified |metadata type=hosts index= correctly lists all of the hosts reporting to that index.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎12-11-2015 07:33 AM

I may have done the lookup incorrectly

Make sure you are getting values for 

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | table host clientip

If the clientip field is blank for all your hosts, have you tried resolving the hostname manually on your server?

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-11-2015 02:35 AM

You cant change the location of the output. You would need to cron and script a move of that file somewhere...

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...