Splunk Search

How do I find internal and external ip addresses of splunk universal forwarder?

snakhuda
Engager

Hi there,

I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!

For external IP:

index=_internal group=tcpin_connections hostname=* 

This will provide me sourceIp (external ip)

For Internal IP:

index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string

Is this the correct approach? I was hoping for a single search to retrieve both IPs.  

Labels (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @snakhuda 

I'm not sure what you mean by external and internal IP address for a Splunk UF.  However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @snakhuda,

running this search you can have all the information about connected clients, also IP:

| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clients

Ciao.

Giuseppe

0 Karma

yeahnah
Motivator

Hi @snakhuda 

I'm not sure what you mean by external and internal IP address for a Splunk UF.  However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

0 Karma

snakhuda
Engager

Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!

Thanks!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @snakhuda,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...