Hello all - hoping this isn't too difficult.
I am looking to export the IP addresses of all hosts logging to a specific index to a text file. I have this:
| metadata type=hosts index=[example index] | stats count by host
But this shows the name of the host. When I manually look through the logs, I don't see the source IP as a field. Just the hostname configured in the outputs.conf of each machine.
Then the second part is exporting them to a text file; is this accurate?
outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt
I believe this will export it to $SPLUNK_HOME/var/run/splunk/results.txt
. Is it possible to change where it exports the txt file? I would like the text file placed in the Splunk web dir so the text file is hosted and can be queried by other devices.
You can get the ip addresses into a file with just the following search
|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv
The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron
You can get the ip addresses into a file with just the following search
|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv
The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron
Thanks! I ran this search but the resulting text file just contains one line that says "clientip".
I verified |metadata type=hosts index= correctly lists all of the hosts reporting to that index.
I may have done the lookup incorrectly
Make sure you are getting values for
|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | table host clientip
If the clientip field is blank for all your hosts, have you tried resolving the hostname manually on your server?
You cant change the location of the output. You would need to cron and script a move of that file somewhere...