Getting Data In

How to get the host IP address from the search?

abassydo2018
Explorer

Hello,

I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise

index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip

source↕

 host↕

/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt 

0 Karma
1 Solution

abassydo2018
Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

View solution in original post

abassydo2018
Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

niketn
Legend

@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abassydo2018
Explorer

Thank you NiketNilay

0 Karma

somesoni2
Revered Legend

Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).

abassydo2018
Explorer

Yes, I think so.

2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199

host = gtmwalldmzsp1

source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log

sourcetype = syslog

0 Karma

dflodstrom
Builder

The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip If you're not seing any values in host_ip perhaps the field has a different name.

0 Karma

jodyfsu
Path Finder

I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?.[^\s]+)"
| table source host host_ip

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...