Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I lookup the Name & IP addresses of my Splunk instances. Am using the following for ES but don't get the IP. Thx

SamHTexas
Builder
‎10-14-2021 08:47 AM

The following do not give the IP for the Splunk Enterprise Security (ES). Is there a better SPL to provide the list of all Splunk instances names, IPs. Specially the ES? Thanks a million in advance.

 

| rest /services/server/sysinfo splunk_server=local | table splunk_server

| rest /services/server/sysinfo splunk_server=local | table splunk_server | lookup dnslookup clienthost as splunk_server OUTPUT clienthost as ipAddress

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎10-16-2021 02:39 PM

Hi @SamHTexas,

Please try the below SPL, it should show all your Splunk Infrastructure hostname, roles, and IP addresses. Unknown roles are being set as Heavy Forwarder.

index=_internal earliest=-24h source="*metrics.log" group=per_index_thruput series=_audit 
| stats count by host 
| fields host 
| append 
    [ search index=_internal earliest=-15m source="*splunkd_access.log" uri_path="/services/search/jobs/export" 
    | stats count by host 
    | fields host 
    | eval role="Search Head"] 
| append 
    [ search index=_internal earliest=-15m source="*splunkd_access.log" uri_path="/servicesNS/-/SplunkEnterpriseSecuritySuite/admin/summarization" 
    | stats count by host 
    | fields host 
    | eval role="Enterprise Security"] 
| append 
    [| rest /services/search/distributed/peers 
    | fields host title 
    | rex field=title "(?<ip>[^:]+)" 
    | table host ip] 
| append 
    [ search earliest=-15m index=_internal source="*metrics.log" group=tcpin_connections destPort=9997 
    | stats count by host 
    | fields host 
    | eval role="Indexer"] 
| append 
    [ search earliest=-120m index=_internal source="*metrics.log" name=instance TERM(shc_deployer) 
    | stats count by host 
    | fields host 
    | eval role="SHCluster Deployer"] 
| append 
    [ search earliest=-15m index=_internal source="*metrics.log" group=shclustering 
    | stats count by host 
    | fields host 
    | eval role="SHCluster Member"] 
| append 
    [ search earliest=-15m index=_internal source="*health.log" node_type=category node_path="splunkd.search_head_clustering.shc_captain" 
    | stats latest(host) as host 
    | eval role="SHCluster Captain"] 
| append 
    [ search earliest=-15m index=_internal source="*metrics.log" group=cmmaster_* 
    | stats count by host 
    | fields host 
    | eval role="Cluster Master"] 
| append 
    [ search earliest=-15m index=_internal source="*metrics.log" group=deploy-server name=clients nTotal>0 
    | stats count by host 
    | fields host 
    | eval role="Deployment Server"] 
| append 
    [ search earliest=-15m index=_internal LicenseUsage sourcetype=splunkd type=Usage 
    | stats latest(host) as host 
    | eval role="License Master"] 
| append 
    [ search index=_internal source="*metrics.log" group=tcpin_connections fwdType=full 
    | stats latest(sourceIp) as ip by hostname 
    | rename hostname as host] 
| stats values(role) as role values(ip) as ip by host 
| fillnull value="Heavy Forwarder" role 
| sort role

 

If this reply helps you an upvote is appreciated.
0 Karma
Reply

Stefanie
Builder
‎10-14-2021 09:42 AM

You can try modifying this search to give you only the hostnames of your Splunk servers.

index=_internal sourcetype=splunkd group=tcpin_connections | stats latest(sourceIp) by hostname
0 Karma
Reply

SamHTexas
Builder
‎10-14-2021 10:02 AM

Thank u for your reply. Your SPL provides all the hosts in my environment that are many. How do I just look up the IPs of the 12 Splunk instances that I have like ES, SHs, License server etc. ? Thank u

Tags (1)
0 Karma
Reply

Stefanie
Builder
‎10-14-2021 10:27 AM 
index=_internal sourcetype=splunkd group=tcpin_connections (hostname=server1 OR hostname=server2 OR hostname=server3) | stats latest(sourceIp) by hostname

This is a basic way to add your Splunk server names.

0 Karma
Reply

SamHTexas
Builder
‎10-14-2021 10:49 AM

Thank u very much for your message. I ran your last SPL on a Search head & on my cluster master , no results were produced. Please advise.

Tags (1)
0 Karma
Reply

Stefanie
Builder
‎10-14-2021 11:04 AM

Apologies, I was able to run this command in my environment and got results. 
index=_internal sourcetype=splunkd group=tcpin_connections (hostname="server1" OR hostname="server2")| stats latest(sourceIp) by hostname

 

 

Are you modifying the hostname variables to match your environment's servernames?

0 Karma
Reply

SamHTexas
Builder
‎10-15-2021 01:18 PM

Thanks again , I got no results. I even ran it with index=* and got no results. 

Tags (1)
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...