Getting Data In

How to get the host IP address from the search?

abassydo2018
Explorer

Hello,

I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise

index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip

source↕

 host↕

/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt 

0 Karma
1 Solution

abassydo2018
Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

View solution in original post

abassydo2018
Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

niketn
Legend

@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abassydo2018
Explorer

Thank you NiketNilay

0 Karma

somesoni2
Revered Legend

Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).

abassydo2018
Explorer

Yes, I think so.

2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199

host = gtmwalldmzsp1

source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log

sourcetype = syslog

0 Karma

dflodstrom
Builder

The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip If you're not seing any values in host_ip perhaps the field has a different name.

0 Karma

jodyfsu
Path Finder

I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?.[^\s]+)"
| table source host host_ip

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...