Splunk Search

Can I search IPs with no syntax?

kruane
Explorer

Can't I just search an IP within Splunk with no syntax, just 192.15.10.1 and if there is any data or this IP is simply being accessed by one of our users, then I should be able to see it.

Are there better ways to find it? 

Overall I want to see if two specific IPs are connecting to Splunk, if so, then broaden the search. 

Labels (1)
0 Karma

martinpu
Communicator

You can use quotation marks like so and use OR if you want to search for multiple IPs


index=yourindex  "192.15.10.1" OR "192.15.10.2"

Or extract all ips:

index=yourindex yourkeyword
|rex max_match=0 "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
|search ip="192.15.10.1"

 

Tags (1)
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...