Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Splunk Web, can I search a specific host name or IP address that returns the “Identified UF Version” of that system?

Splunk0n
New Member
‎12-06-2016 09:13 AM

Hello Splunkers - Using Splunk Web, can I search/index a specific host name or IP address that returns the “Identified UF Version” of that system? The Universal Forwarder 6.4 is already installed. Any assistance would be greatly appreciated, thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

coltwanger
Contributor
‎12-06-2016 09:38 AM

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

coltwanger
Contributor
‎12-06-2016 09:38 AM

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version
0 Karma
Reply
Solved! Jump to solution

Splunk0n
New Member
‎12-08-2016 08:08 AM

Hello coltwanger - thank for your guidance. I have tried your suggestions but no results. I am new to Splunk but not a SME yet 🙂
Assuming my IP is 123.45.6.78, can you be more specific how I can index that systems?
I know its probably an elementary question so please bare with me, thank you.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-08-2016 01:13 PM

@Splunk0n - I don't think it was your intention, but I scrubbed the IP address you initially used since it points to an actual location. I anonymized the IP address in your and coltwanger's comments. Please keep in mind that Splunk Answers is a public forum so please take extra care as to not accidentally reveal sensitive information specific to you, your company, and/or customers. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

coltwanger
Contributor
‎12-08-2016 11:37 AM

This search should return the information regarding that particular IP address:

 index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=123.45.6.78 
 | eval Hostname=if(isnull(hostname), sourceHost,hostname) 
 | eval version=if(isnull(version),"pre 4.2",version) 
 | eval architecture=if(isnull(arch),"n/a",arch) 
 | stats count by Hostname version architecture 
 | sort + version
0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...