Splunk Search

How do I search for all the IPs that are located in the domain controller?

Esmeralda1
New Member

This is my first time using Splunk and I don't know many commands. I am looking for a command where I can get all the IPs in the domain controller and their account name.

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

HI @Esmeralda1 -

Here's what you need to figure out.

1) What index(es) is the data you are looking for in?
2) What is an example of the name of the domain controller?
2) What is an example of an IP that is in the domain controller?
3) What is an example of an account name?

Given the above information, you can search that index to find out what, exactly, the records look like that you are looking for.

Let's suppose that the index is called "foo", that the records have sourcetype "foo1", the domain controller is "barNone", one IP is 1.2.3.4, and one account name is "Billy17"

Set the time for the last 24 hours, and put this in the search bar...

index="foo" sourcetype="foo1" ( "barNone" OR "1.2.3.4"  ) | head 50 

That will give you the most recent 50 records in that index that have either barNone or IP 1.2.3.4 or both.

If there are a bunch of one and none of the others, then just open another search tab and copy the search, but eliminate the one that had too many results.

After that, you 're going to want to figure out what information on the IP record will tell you which domain controller it belongs to.

Next, do the same for billy17, and see what his IP might be. let's assume the user record is in the same index but a different sourcetype...

index="foo" sourcetype="foo2" "billy17" | head 50 

That will show you what those records look like.

Once you have the format of each of the records, then come back, open up a new question, and put a NON-CONFIDENTIAL sample of each kind of event in your question. Then we can help you put together a query that will give you what you need.

View solution in original post

0 Karma

Esmeralda1
New Member

Thank you, Dal.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

HI @Esmeralda1 -

Here's what you need to figure out.

1) What index(es) is the data you are looking for in?
2) What is an example of the name of the domain controller?
2) What is an example of an IP that is in the domain controller?
3) What is an example of an account name?

Given the above information, you can search that index to find out what, exactly, the records look like that you are looking for.

Let's suppose that the index is called "foo", that the records have sourcetype "foo1", the domain controller is "barNone", one IP is 1.2.3.4, and one account name is "Billy17"

Set the time for the last 24 hours, and put this in the search bar...

index="foo" sourcetype="foo1" ( "barNone" OR "1.2.3.4"  ) | head 50 

That will give you the most recent 50 records in that index that have either barNone or IP 1.2.3.4 or both.

If there are a bunch of one and none of the others, then just open another search tab and copy the search, but eliminate the one that had too many results.

After that, you 're going to want to figure out what information on the IP record will tell you which domain controller it belongs to.

Next, do the same for billy17, and see what his IP might be. let's assume the user record is in the same index but a different sourcetype...

index="foo" sourcetype="foo2" "billy17" | head 50 

That will show you what those records look like.

Once you have the format of each of the records, then come back, open up a new question, and put a NON-CONFIDENTIAL sample of each kind of event in your question. Then we can help you put together a query that will give you what you need.

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...