Getting Data In

How to get the host IP address from the search?

Explorer

Hello,

I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise

index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip

source↕

 host↕

/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt 

0 Karma
1 Solution

Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="devicename" unixcategory=allhosts poolname="pool-name" | spath address | table host address sessionstatus statusreason

Thank you guys, I really appreciate your help and support. You guys are just too great.

View solution in original post

Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="devicename" unixcategory=allhosts poolname="pool-name" | spath address | table host address sessionstatus statusreason

Thank you guys, I really appreciate your help and support. You guys are just too great.

View solution in original post

SplunkTrust
SplunkTrust

@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Explorer

Thank you NiketNilay

0 Karma

SplunkTrust
SplunkTrust

Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).

Explorer

Yes, I think so.

2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199

host = gtmwalldmzsp1

source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log

sourcetype = syslog

0 Karma

Builder

The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip If you're not seing any values in host_ip perhaps the field has a different name.

0 Karma

Path Finder

I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?.[^\s]+)"
| table source host host_ip

0 Karma