Splunk Search

How to list servers sending logs to Splunk along with source & sourcetype details

splunkwar
Explorer

Hi,

I need to list all the Source Server Details (Hosname and IP Address) including log paths & Log File names which are sending logs to Splunk environment. The following query doesn't fetch the IP Address. Is there any better way to do it?

index=* 
| stats values(source) as sources ,values(sourcetype) as sourcetype by host
0 Karma
1 Solution

sumanssah
Communicator

Try below mentioned SPL, work normally if you are not on Splunk cloud environment. Please check and let us know if works

| tstats  values(source) as sources ,values(sourcetype) as sourcetype where index=* by host
| lookup dnslookup clienthost as host OUTPUT  clientip as src_ip

View solution in original post

sumanssah
Communicator

Try below mentioned SPL, work normally if you are not on Splunk cloud environment. Please check and let us know if works

| tstats  values(source) as sources ,values(sourcetype) as sourcetype where index=* by host
| lookup dnslookup clienthost as host OUTPUT  clientip as src_ip

splunkwar
Explorer

Hey mate, Thanks for your answer. Do I need to make any changes on | lookup query part. pardon for basic doubt, I am new to Splunk.

0 Karma

sumanssah
Communicator

Hello @splunkwar , its internet lookup script. No changes required 🙂

0 Karma

splunkwar
Explorer

Thanks @sumanssah . It perfectly worked and fulfilled my need.

0 Karma

manjunathmeti
Champion

Check this query. In results host might contain IPs, hostname or just names of the source. You need to map host values with IPs using a csv lookup.

| metasearch index=*
| stats count by index,source,host,sourcetype
0 Karma

splunkwar
Explorer

Thanks for your answer !

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Do you have a lookup table that maps host names to IP addresses?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...