Getting Data In

How to export IPs of all hosts logging to a specific index to a text file, and can we choose where this file is exported to?

sdorsey15
New Member

Hello all - hoping this isn't too difficult.

I am looking to export the IP addresses of all hosts logging to a specific index to a text file. I have this:

| metadata type=hosts index=[example index] | stats count by host

But this shows the name of the host. When I manually look through the logs, I don't see the source IP as a field. Just the hostname configured in the outputs.conf of each machine.

Then the second part is exporting them to a text file; is this accurate?

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

I believe this will export it to $SPLUNK_HOME/var/run/splunk/results.txt. Is it possible to change where it exports the txt file? I would like the text file placed in the Splunk web dir so the text file is hosted and can be queried by other devices.

0 Karma
1 Solution

jplumsdaine22
Influencer

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

View solution in original post

0 Karma

jplumsdaine22
Influencer

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

0 Karma

sdorsey15
New Member

Thanks! I ran this search but the resulting text file just contains one line that says "clientip".

I verified |metadata type=hosts index= correctly lists all of the hosts reporting to that index.

0 Karma

jplumsdaine22
Influencer

I may have done the lookup incorrectly

Make sure you are getting values for

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | table host clientip

If the clientip field is blank for all your hosts, have you tried resolving the hostname manually on your server?

0 Karma

esix_splunk
Splunk Employee
Splunk Employee

You cant change the location of the output. You would need to cron and script a move of that file somewhere...

Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...