Solved: How to replace hostname with IP in result?

aojie654 · ‎07-10-2019

Hi, splunkers:

I have a puzzle that I need to show host IP in result but not the hostname. E.g. after I ran the search query index=* error | stats count by host the result looks like following:

host    count
aj-ins5577  229
sja_v_jp0_236   4

But I need to show the IP in the result bu not hostname just like:

host    count
10.6.10.132    229
10.6.11.10    4

And I have no lookup table on my server. So is there any method to get ip in splunk?
I found a REST way to list all forwarders IP in search like run | rest /services/deployment/server/clients | table hostname, ip and the result is:

hostname    ip
aj-ins5577  10.6.10.132
sja_v_jp0_236   10.6.11.10
sja_b_us0_139   10.6.10.111

I think maybe I can append a output command to export the result then I can use the lookup table to display the IP in result. But there are obviously a disadvantage is there is only the forwarders IP in it but no indexer and search heads in it.

Is there any good ideas? Thanks!

Best regards,
Shengjyer Ao

woodcock · ‎07-10-2019

Like this:

<Your first search here>
| eval which="main"
| appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host]
| stats values(*) AS * BY host
| where which=="main"

View solution in original post

woodcock · ‎07-10-2019

Like this:

<Your first search here>
| eval which="main"
| appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host]
| stats values(*) AS * BY host
| where which=="main"

aojie654 · ‎07-10-2019

Hi, woodcock:

I used the search query following you like this:
index=_internal error | stats count by host | appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host ] | stats values(*) AS * BY host | eval host=if(isnotnull(ip), ip, host) | fields host count
And the result is looks like this:
host count
10.6.10.132 12834
aojie654-splunk-aab4 2806
sja-q-sh0-110 80
10.6.11.10 14
10.6.10.111 10
It looks like the fowarders result is good and the indexers and search head is still display their hostname, any idea to replace their hostname with IP?

woodcock · ‎07-10-2019

Like this:

index=_internal error 
| stats count by host 
| append
[|rest/services/deployment/server/clients 
| table hostname ip 
| rename hostname As host] 
| stats values(*) AS * BY host
| eval host=coalesce(ip, host)
| fields host count

woodcock · ‎07-10-2019

And if you still have problems, SEE MY OTHER ANSWER!

aojie654 · ‎07-10-2019

I'll using python to replace hostname with IP and thanks a lot for you help ^_^

woodcock · ‎07-11-2019

Then why did you ask a question that has absolutely nothing to do with what you really are doing and need?

woodcock · ‎07-10-2019

The easiest way is just to do a DNS lookup by adding this to your search:

... | lookup dnslookup clientip AS host

How to replace hostname with IP in result?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms