Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dynamically insert IP address into saved search

John_Mark
Splunk Employee
Splunk Employee
‎08-18-2010 10:13 PM

I have a team of web developers using Splunk to debug their web apps. When they're debugging apps, they're all hitting the same web server. What I'd like to do is be able to utilize saved searches that automatically filter results only for their IP address (or some other unique identifier). I found some tips on dynamic saved searches from this Question: http://answers.splunk.com/questions/5571/way-to-insert-create-field-based-on-source

But I'm still not sure how I would tell Splunk my machine's IP address, and how it could be inserted into a saved search.

Reply
1 Solution
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 02:59 AM

First, you haven't been concrete in saying which IP you're referring to. If it's the IP of the web browser, and splunkd is on a separate machine, then you're pretty much out of luck. If you care about the IP of the machine that splunkd is on, then you might consider setting up a macro that gets the IP of that machine. If you called the macro myIP, you could refer to it in your search when wrapped with backticks. If your splunkd is shared, then you could have one of these per user in /etc/users/<username>/search/local/macros.conf.

View solution in original post

Reply
Solved! Jump to solution

John_Mark
Splunk Employee
Splunk Employee
‎08-19-2010 06:19 PM

ah, well. It had some recommendations on how to insert dynamic fields into a search, so I thought it might apply.

0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 04:18 AM

It's unclear to me how the linked question has anything to do with this question.

0 Karma
Reply
Solved! Jump to solution
Solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 02:59 AM

First, you haven't been concrete in saying which IP you're referring to. If it's the IP of the web browser, and splunkd is on a separate machine, then you're pretty much out of luck. If you care about the IP of the machine that splunkd is on, then you might consider setting up a macro that gets the IP of that machine. If you called the macro myIP, you could refer to it in your search when wrapped with backticks. If your splunkd is shared, then you could have one of these per user in /etc/users/<username>/search/local/macros.conf.

Reply
Solved! Jump to solution

John_Mark
Splunk Employee
Splunk Employee
‎08-20-2010 06:13 PM

Aha! sorry. head-slapper there 🙂 thanks!

0 Karma
Reply
Solved! Jump to solution

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-19-2010 06:22 PM

Define developer's IP. If you have a mapping of splunk user to IP, then the macro trick is best.

0 Karma
Reply
Solved! Jump to solution

John_Mark
Splunk Employee
Splunk Employee
‎08-19-2010 06:18 PM

It depends - of primary interest is the ability of the developer to filter for only their debugging results, but if we know that it's impossible to grab the developer's IP, then we can jump through some hoops to do our testing via the splunkd machine. We could also have splunkd running on each developer box. We had hoped to avoid that, but given the small amount of data to index, this probably wouldn't be a huge resource hog.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...