The following do not give the IP for the Splunk Enterprise Security (ES). Is there a better SPL to provide the list of all Splunk instances names, IPs. Specially the ES? Thanks a million in advance.
| rest /services/server/sysinfo splunk_server=local | table splunk_server
| rest /services/server/sysinfo splunk_server=local | table splunk_server | lookup dnslookup clienthost as splunk_server OUTPUT clienthost as ipAddress
Hi @SamHTexas,
Please try the below SPL, it should show all your Splunk Infrastructure hostname, roles, and IP addresses. Unknown roles are being set as Heavy Forwarder.
index=_internal earliest=-24h source="*metrics.log" group=per_index_thruput series=_audit
| stats count by host
| fields host
| append
[ search index=_internal earliest=-15m source="*splunkd_access.log" uri_path="/services/search/jobs/export"
| stats count by host
| fields host
| eval role="Search Head"]
| append
[ search index=_internal earliest=-15m source="*splunkd_access.log" uri_path="/servicesNS/-/SplunkEnterpriseSecuritySuite/admin/summarization"
| stats count by host
| fields host
| eval role="Enterprise Security"]
| append
[| rest /services/search/distributed/peers
| fields host title
| rex field=title "(?<ip>[^:]+)"
| table host ip]
| append
[ search earliest=-15m index=_internal source="*metrics.log" group=tcpin_connections destPort=9997
| stats count by host
| fields host
| eval role="Indexer"]
| append
[ search earliest=-120m index=_internal source="*metrics.log" name=instance TERM(shc_deployer)
| stats count by host
| fields host
| eval role="SHCluster Deployer"]
| append
[ search earliest=-15m index=_internal source="*metrics.log" group=shclustering
| stats count by host
| fields host
| eval role="SHCluster Member"]
| append
[ search earliest=-15m index=_internal source="*health.log" node_type=category node_path="splunkd.search_head_clustering.shc_captain"
| stats latest(host) as host
| eval role="SHCluster Captain"]
| append
[ search earliest=-15m index=_internal source="*metrics.log" group=cmmaster_*
| stats count by host
| fields host
| eval role="Cluster Master"]
| append
[ search earliest=-15m index=_internal source="*metrics.log" group=deploy-server name=clients nTotal>0
| stats count by host
| fields host
| eval role="Deployment Server"]
| append
[ search earliest=-15m index=_internal LicenseUsage sourcetype=splunkd type=Usage
| stats latest(host) as host
| eval role="License Master"]
| append
[ search index=_internal source="*metrics.log" group=tcpin_connections fwdType=full
| stats latest(sourceIp) as ip by hostname
| rename hostname as host]
| stats values(role) as role values(ip) as ip by host
| fillnull value="Heavy Forwarder" role
| sort role
You can try modifying this search to give you only the hostnames of your Splunk servers.
index=_internal sourcetype=splunkd group=tcpin_connections | stats latest(sourceIp) by hostname
Thank u for your reply. Your SPL provides all the hosts in my environment that are many. How do I just look up the IPs of the 12 Splunk instances that I have like ES, SHs, License server etc. ? Thank u
index=_internal sourcetype=splunkd group=tcpin_connections (hostname=server1 OR hostname=server2 OR hostname=server3) | stats latest(sourceIp) by hostname
This is a basic way to add your Splunk server names.
Thank u very much for your message. I ran your last SPL on a Search head & on my cluster master , no results were produced. Please advise.
Apologies, I was able to run this command in my environment and got results.
index=_internal sourcetype=splunkd group=tcpin_connections (hostname="server1" OR hostname="server2")| stats latest(sourceIp) by hostname
Are you modifying the hostname variables to match your environment's servernames?
Thanks again , I got no results. I even ran it with index=* and got no results.