Splunk Search

How do I search for all the IPs that are located in the domain controller?

Esmeralda1
New Member

This is my first time using Splunk and I don't know many commands. I am looking for a command where I can get all the IPs in the domain controller and their account name.

0 Karma
1 Solution

DalJeanis
Legend

HI @Esmeralda1 -

Here's what you need to figure out.

1) What index(es) is the data you are looking for in?
2) What is an example of the name of the domain controller?
2) What is an example of an IP that is in the domain controller?
3) What is an example of an account name?

Given the above information, you can search that index to find out what, exactly, the records look like that you are looking for.

Let's suppose that the index is called "foo", that the records have sourcetype "foo1", the domain controller is "barNone", one IP is 1.2.3.4, and one account name is "Billy17"

Set the time for the last 24 hours, and put this in the search bar...

index="foo" sourcetype="foo1" ( "barNone" OR "1.2.3.4"  ) | head 50 

That will give you the most recent 50 records in that index that have either barNone or IP 1.2.3.4 or both.

If there are a bunch of one and none of the others, then just open another search tab and copy the search, but eliminate the one that had too many results.

After that, you 're going to want to figure out what information on the IP record will tell you which domain controller it belongs to.

Next, do the same for billy17, and see what his IP might be. let's assume the user record is in the same index but a different sourcetype...

index="foo" sourcetype="foo2" "billy17" | head 50 

That will show you what those records look like.

Once you have the format of each of the records, then come back, open up a new question, and put a NON-CONFIDENTIAL sample of each kind of event in your question. Then we can help you put together a query that will give you what you need.

View solution in original post

0 Karma

Esmeralda1
New Member

Thank you, Dal.

0 Karma

DalJeanis
Legend

HI @Esmeralda1 -

Here's what you need to figure out.

1) What index(es) is the data you are looking for in?
2) What is an example of the name of the domain controller?
2) What is an example of an IP that is in the domain controller?
3) What is an example of an account name?

Given the above information, you can search that index to find out what, exactly, the records look like that you are looking for.

Let's suppose that the index is called "foo", that the records have sourcetype "foo1", the domain controller is "barNone", one IP is 1.2.3.4, and one account name is "Billy17"

Set the time for the last 24 hours, and put this in the search bar...

index="foo" sourcetype="foo1" ( "barNone" OR "1.2.3.4"  ) | head 50 

That will give you the most recent 50 records in that index that have either barNone or IP 1.2.3.4 or both.

If there are a bunch of one and none of the others, then just open another search tab and copy the search, but eliminate the one that had too many results.

After that, you 're going to want to figure out what information on the IP record will tell you which domain controller it belongs to.

Next, do the same for billy17, and see what his IP might be. let's assume the user record is in the same index but a different sourcetype...

index="foo" sourcetype="foo2" "billy17" | head 50 

That will show you what those records look like.

Once you have the format of each of the records, then come back, open up a new question, and put a NON-CONFIDENTIAL sample of each kind of event in your question. Then we can help you put together a query that will give you what you need.

0 Karma
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...