Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get the host IP address from the search?

abassydo2018
Explorer
‎05-30-2018 09:16 AM

Hello,

I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise

index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip

source↕

 host↕ 

/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

abassydo2018
Explorer
‎05-30-2018 11:41 AM

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

View solution in original post

Reply
Solved! Jump to solution
Solution

abassydo2018
Explorer
‎05-30-2018 11:41 AM

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

Reply
Solved! Jump to solution

niketn
Legend
‎05-30-2018 12:07 PM

@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

abassydo2018
Explorer
‎05-30-2018 12:12 PM

Thank you NiketNilay

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-30-2018 09:27 AM

Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).

Reply
Solved! Jump to solution

abassydo2018
Explorer
‎05-30-2018 09:38 AM

Yes, I think so.

2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199

host = gtmwalldmzsp1

source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log

sourcetype = syslog

0 Karma
Reply
Solved! Jump to solution

dflodstrom
Builder
‎05-30-2018 10:59 AM

The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip If you're not seing any values in host_ip perhaps the field has a different name.

0 Karma
Reply
Solved! Jump to solution

jodyfsu
Path Finder
‎05-30-2018 11:11 AM

I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?.[^\s]+)"
| table source host host_ip

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top