Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I use iplocation to include the IP in my alert search results for account lockouts?

Gayathirik
Path Finder
‎08-03-2016 01:16 AM

I have a search to alert on account lockouts:

index=winsec EventCodeDescription="A user account was locked out"|dedup user| stats count as total by _time host user

I need to get the "IP" as well when the account is locked out. Could you please help me on getting the IP address of the system along with this event alert search?

Regards,
Gayathiri K

Reply
1 Solution
Solved! Jump to solution
Solution

hliakathali_spl
Splunk Employee
Splunk Employee
‎08-03-2016 03:06 AM

You would have to use some DNSlookup type of things to get IP address from host name. And you can use clientip, src_ip, dns_ip, server_ip..Etc according to your Splunk naming conversion you have to use the search strings. See the props.conf file for host and ip

Try to use this query,

index=_audit action="login attempt" info="succeeded"| head 20 | iplocation clientip | table clientip, user, _time

View solution in original post

Reply
Solved! Jump to solution

sundareshr
Legend
‎08-03-2016 12:48 PM

Try this

index=winsec EventCodeDescription="A user account was locked out"| stats count as total by _time host user Source_Network_Address
0 Karma
Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎08-04-2016 01:49 AM

This is not working..Could you please tell me some other possible way to find it out?

0 Karma
Reply
Solved! Jump to solution
Solution

hliakathali_spl
Splunk Employee
Splunk Employee
‎08-03-2016 03:06 AM

You would have to use some DNSlookup type of things to get IP address from host name. And you can use clientip, src_ip, dns_ip, server_ip..Etc according to your Splunk naming conversion you have to use the search strings. See the props.conf file for host and ip

Try to use this query,

index=_audit action="login attempt" info="succeeded"| head 20 | iplocation clientip | table clientip, user, _time
Reply
Solved! Jump to solution

Gayathirik
Path Finder
‎08-04-2016 06:36 AM

Excellent Harish!!! This really works!!!!

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...