Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I find internal and external ip addresses of splunk universal forwarder?

snakhuda
Engager
‎01-19-2023 09:50 AM

Hi there,

I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!

For external IP:

index=_internal group=tcpin_connections hostname=* 

This will provide me sourceIp (external ip)

For Internal IP:

index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string

Is this the correct approach? I was hoping for a single search to retrieve both IPs.  

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yeahnah
Motivator
‎01-19-2023 05:29 PM

Hi @snakhuda 

I'm not sure what you mean by external and internal IP address for a Splunk UF.  However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

View solution in original post

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-19-2023 11:10 PM

Hi @snakhuda,

running this search you can have all the information about connected clients, also IP:

| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clients

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

yeahnah
Motivator
‎01-19-2023 05:29 PM

Hi @snakhuda 

I'm not sure what you mean by external and internal IP address for a Splunk UF.  However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

0 Karma
Reply
Solved! Jump to solution

BTrust
Path Finder
‎12-03-2024 02:31 AM

Hi @yeahnah,

Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP.

The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available.

Till now I only see one way, which is scripted input and/or an existing app that collects this info.

Your search is still good 😉  it just don't provide what's requested.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-03-2024 03:34 AM

To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.

0 Karma
Reply
Solved! Jump to solution

BTrust
Path Finder
‎12-03-2024 03:42 AM

Hi @PickleRick ,

I agree to a certain extend.

The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎12-03-2024 04:41 AM

The question was very vague and ambiguous.

Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 interface and has a default route via 192.168.10.1. It sends its data to an indexer located at 10.1.2.3/24 but the connection is SNAT-ed so it appears to the indexer as coming from 10.20.1.1.

What is internal and external in this case? It is _not_ straightforward. I could throw in an intermediate forwarder to this mix and possibly some HTTP proxy.

"Internal" and "external" mean different things depending on where you look from.

0 Karma
Reply
Solved! Jump to solution

BTrust
Path Finder
‎12-03-2024 04:58 AM

As you say: "is _not_ straightforward", and I agree, why I think the "solution" here is vague, and ought to be refined

0 Karma
Reply
Solved! Jump to solution

snakhuda
Engager
‎01-20-2023 03:17 PM

Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!

Thanks!!

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-20-2023 10:38 PM

Hi @snakhuda,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top