Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I find internal and external ip addresses o...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there,
I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!
For external IP:
index=_internal group=tcpin_connections hostname=*
This will provide me sourceIp (external ip)
For Internal IP:
index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string
Is this the correct approach? I was hoping for a single search to retrieve both IPs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @snakhuda
I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you
index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid
Hopefully this helps you find what you're looking for
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @snakhuda,
running this search you can have all the information about connected clients, also IP:
| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clientsCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @snakhuda
I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you
index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid
Hopefully this helps you find what you're looking for
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @yeahnah,
Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP.
The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available.
Till now I only see one way, which is scripted input and/or an existing app that collects this info.
Your search is still good 😉 it just don't provide what's requested.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @PickleRick ,
I agree to a certain extend.
The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The question was very vague and ambiguous.
Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 interface and has a default route via 192.168.10.1. It sends its data to an indexer located at 10.1.2.3/24 but the connection is SNAT-ed so it appears to the indexer as coming from 10.20.1.1.
What is internal and external in this case? It is _not_ straightforward. I could throw in an intermediate forwarder to this mix and possibly some HTTP proxy.
"Internal" and "external" mean different things depending on where you look from.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As you say: "is _not_ straightforward", and I agree, why I think the "solution" here is vague, and ought to be refined
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!
Thanks!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @snakhuda,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Tech Talk Recap | Mastering Threat Hunting
Observability for AI Applications: Troubleshooting Latency
Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?
