Security

Checking if device is communication with Splunk given IP or hostname

waJesu
Path Finder

I am very new to Splunk administration. Would anyone help me with a simple search to check if a particular device is reporting to splunk, given it's IP address and/or it's hostname.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If the device has a Universal Forwarder on it then you can search the internal index for the IP/hostname in question.

index=_internal TERM(ip address)

index=_internal "host name"

If the device does not have a UF on it then you can search your other indexes for the host.

| tstats latest(_time) as time where index=* host="host name"

Use a specific index name in place of * if you know which index has the host's data.

---
If this reply helps you, Karma would be appreciated.

waJesu
Path Finder

Oh I had only tried using host name. The IP one is not returning results.

0 Karma

waJesu
Path Finder

Thank you. This was very helpful. Maybe the follow up question would be how to trouble shoot why a device is not communicating.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...