How do I check any record of a ip address?

tonyfer · ‎05-04-2023

index=* "23.216.147.64"

Above is my filter, I'm trying to get all the records of that IP address; is this filter correct? please help

thanks

tony

yuanliu · ‎05-11-2023

Without an explanation of raw data, preferably with examples (anonymize as needed), "not manage to find details about the IP" and "no luck" conveys practically nothing. Why do you assume that 23.216.147.64 exists in your data? What "details" do you expect to find? What is the actual result that is absent of such details? Volunteers already know that the filter did not give you desired results. Otherwise you wouldn't ask the original question.

gcusello · ‎05-04-2023

Hi @tonyfer,

in general, your solution is correct: adding a string (as "23.216.147.64") to your search, you perform a full text search on your logs, but it isn't so performant.

You could analyze your data and understand if the IPs to search are in a limited number of fields, in this case, you could change your main search in this way:

index=* (field1="23.216.147.64" OR field2="23.216.147.64" OR field3="23.216.147.64")

then you should check if, in the above fields, there's only the IP or something additional (e.g. "\\23.216.147.64"), in this case, you could also use the solution from @SanjayReddy .

Ciao.

Giuseppe

tonyfer · ‎05-11-2023

Hi

I've tried all the below solutions and still no luck

index=* sourcetype="suricata" "*23.216.147.64*"
index=* sourcetype="fortigate_utm" "*23.216.147.64*"
index=* sourcetype="fortigate_traffic" "*23.216.147.64*"
index=* sourcetype="fortigate_event" "*23.216.147.64*"
index=* sourcetype="firewall" "*23.216.147.64*"
index=* sourcetype="sysmon" "*23.216.147.64*"
index=* sourcetype="xmlwineventlog" "*23.216.147.64*"
index=* sourcetype="xmlwineventlog:microsoft-windows-sysmon/operation" "*23.216.147.64*"
index=* sourcetype="WinEventLog:Security" "*23.216.147.64*"

Tony

SanjayReddy · ‎05-04-2023

Hi @tonyfer

looks okay, you can try adding * before and after ip adress

"*23.216.147.64*"

However you are trying to use index=*, which genric and it consume lot of time and resources.

try to use specfic index name and if ip address you are looking , present in any of field, please use field name aa well

ex:
index=indexA <field_name>="*23.216.147.64*"

----
Regards,
Sanjay Reddy

----
If this reply helps you, Karma would be appreciated

tonyfer · ‎05-11-2023

Hi

Sanjay, I've all the possible filters and still not manage to find details about the IP

index=* sourcetype="suricata" "*23.216.147.64*"
index=* sourcetype="fortigate_utm" "*23.216.147.64*"
index=* sourcetype="fortigate_traffic" "*23.216.147.64*"
index=* sourcetype="fortigate_event" "*23.216.147.64*"
index=* sourcetype="firewall" "*23.216.147.64*"
index=* sourcetype="sysmon" "*23.216.147.64*"
index=* sourcetype="xmlwineventlog" "*23.216.147.64*"
index=* sourcetype="xmlwineventlog:microsoft-windows-sysmon/operation" "*23.216.147.64*"
index=* sourcetype="WinEventLog:Security" "*23.216.147.64*"

can you please help me what I could be doing wrong ?

Thank

tony

How do I check any record of a ip address?

search job inspector

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World

Are you a member of the Splunk Community?

How do I check any record of a ip address?

search job inspector

New Release | Splunk Cloud Platform 10.1.2507

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

Splunk New Course Releases for a Changing World