Solved: Re: How do I find internal and external ip address...

snakhuda · ‎01-19-2023

Hi there,

I have a use case to query internal and external ip addresses of the host which has UF installed. I am using approach below and hoping for a better solution. Appreciate your help in advance!

For external IP:

index=_internal group=tcpin_connections hostname=*

This will provide me sourceIp (external ip)

For Internal IP:

index=_internal sourcetype=splunkd_access phonehome | rex command to retrieve internal ip from the string

Is this the correct approach? I was hoping for a single search to retrieve both IPs.

yeahnah · ‎01-19-2023

Hi @snakhuda

I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

View solution in original post

seth_a_zuykn-io

@snakhuda We built this for the external public IP portion if you need it still:
https://zuykn.io/apps/splunk
https://github.com/zuykn/TA-get_public_ip

Get Public IP Add-on
━━━━━━━━━━━

A lightweight, cross-platform add-on that collects your Splunk Forwarder’s external public IPv4 address using native system commands only — implemented in Windows Batch (.bat) and POSIX sh (Linux / Unix / macOS).

━━━━━━━━━━━
⚙️Highlights
• HTTPS or DNS lookup with intelligent fallback
• No dependencies — built-in system tools only
• Auto-selects commands:
　↳ Windows → curl, certutil, bitsadmin, nslookup
　↳ Linux / macOS → curl, wget, dig, nslookup
• Works with any IPv4-returning site — checkip.amazonaws.com, ipinfo.io/ip, icanhazip.com, etc.

Let me know if you have any questions!
- Seth

BTrust

Hi @seth_a_zuykn-io ,

Thanks a lot, this was indeed an interesting read and useful input, most appreciated!

/Bjarbe

gcusello · ‎01-19-2023

Hi @snakhuda,

running this search you can have all the information about connected clients, also IP:

| rest splunk_server=<hostname_deployment_server> /services/deployment/server/clients

Ciao.

Giuseppe

yeahnah · ‎01-19-2023

Hi @snakhuda

I'm not sure what you mean by external and internal IP address for a Splunk UF. However, if you needed to tie these two events together then something like this should work for you

index=_internal (group=tcpin_connections hostname=* sourceIp=* guid=*) OR (sourcetype=splunkd_access phonehome clientip=*)
| rex field=file "(?:(.+?_)){4}(?<hostname>[^_]+)_(?<guid>.*)"
| fields guid hostname sourceIp clientip
| rename sourceIp AS externalIP clientip AS internalIP
| stats values(*) AS * BY guid

Hopefully this helps you find what you're looking for

BTrust · ‎12-03-2024

Hi @yeahnah,

Unfortunately your solution don't provide the truth as the clientIp is NOT equal to the Internal IP, it's unfortunately the public IP, which is not that same as the internal - and what I'd rather call the Private IP.

The reason I know this is because I'm sitting with a bunch of external UF calling home to a DPL outside the network to all UF's, and I need to get the same information - the internal (private) IP, but it's not available.

Till now I only see one way, which is scripted input and/or an existing app that collects this info.

Your search is still good 😉 it just don't provide what's requested.

PickleRick · ‎12-03-2024

To answer such question one should first define what "internal" and "external" IPs mean here given many possible deployment scenarios including multihomed hosts, NAT-s, intermediate forwarders, proxies and so on. Only then one can start digging into available data.

BTrust · ‎12-03-2024

Hi @PickleRick ,

I agree to a certain extend.

The question was here how to "find internal and external ip addresses", and I think we here can agree on, that it's not the Internal IP that is presented, unless they are sitting on the same network. But as many (most I suppose) are more or less distributed, you'll not be able to get the internal ip this way - right?

PickleRick · ‎12-03-2024

The question was very vague and ambiguous.

Let's consider a situation where you have a server hosting two interfaces - 192.168.10.23/24 and 172.17.1.10/24. It receives HEC data on the 172.17.1.10 interface and has a default route via 192.168.10.1. It sends its data to an indexer located at 10.1.2.3/24 but the connection is SNAT-ed so it appears to the indexer as coming from 10.20.1.1.

What is internal and external in this case? It is _not_ straightforward. I could throw in an intermediate forwarder to this mix and possibly some HTTP proxy.

"Internal" and "external" mean different things depending on where you look from.

BTrust · ‎12-03-2024

As you say: "is _not_ straightforward", and I agree, why I think the "solution" here is vague, and ought to be refined

snakhuda · ‎01-20-2023

Thank you! This is much better. I was doing running 2 separate queries and then going to use 2 lookup tables to retrieve IPs by hostname. Appreciate your help!

Thanks!!

gcusello · ‎01-20-2023

Hi @snakhuda,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

How do I find internal and external ip addresses of splunk universal forwarder?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

How do I find internal and external ip addresses of splunk universal forwarder?

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine