Hi there,
I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!
For external IP:
index=_internal group=tcpin_connections hostname=*
This will provide me sourceIp (external ip)
For Internal IP:
index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string
Is this the correct approach? I was hoping for a single search to retrieve both IPs.
Hi @snakhuda
I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you
index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid
Hopefully this helps you find what you're looking for
Hi @snakhuda,
running this search you can have all the information about connected clients, also IP:
| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clients
Ciao.
Giuseppe
Hi @snakhuda
I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you
index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid
Hopefully this helps you find what you're looking for
Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!
Thanks!!
Hi @snakhuda,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉