Splunk Search

How do I find internal and external ip addresses of splunk universal forwarder?

snakhuda
Engager

Hi there,

I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!

For external IP:

index=_internal group=tcpin_connections hostname=* 

This will provide me sourceIp (external ip)

For Internal IP:

index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string

Is this the correct approach? I was hoping for a single search to retrieve both IPs.  

Labels (1)
0 Karma
1 Solution

yeahnah
Motivator

Hi @snakhuda 

I'm not sure what you mean by external and internal IP address for a Splunk UF.  However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @snakhuda,

running this search you can have all the information about connected clients, also IP:

| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clients

Ciao.

Giuseppe

0 Karma

yeahnah
Motivator

Hi @snakhuda 

I'm not sure what you mean by external and internal IP address for a Splunk UF.  However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

0 Karma

snakhuda
Engager

Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!

Thanks!!

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @snakhuda,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...