- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, splunkers:
I have a puzzle that I need to show host IP in result but not the hostname. E.g. after I ran the search query index=* error | stats count by host the result looks like following:
host count
aj-ins5577 229
sja_v_jp0_236 4
But I need to show the IP in the result bu not hostname just like:
host count
10.6.10.132 229
10.6.11.10 4
And I have no lookup table on my server. So is there any method to get ip in splunk?
I found a REST way to list all forwarders IP in search like run | rest /services/deployment/server/clients | table hostname, ip and the result is:
hostname ip
aj-ins5577 10.6.10.132
sja_v_jp0_236 10.6.11.10
sja_b_us0_139 10.6.10.111
I think maybe I can append a output command to export the result then I can use the lookup table to display the IP in result. But there are obviously a disadvantage is there is only the forwarders IP in it but no indexer and search heads in it.
Is there any good ideas? Thanks!
Best regards,
Shengjyer Ao
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
<Your first search here>
| eval which="main"
| appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host]
| stats values(*) AS * BY host
| where which=="main"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
<Your first search here>
| eval which="main"
| appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host]
| stats values(*) AS * BY host
| where which=="main"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, woodcock:
I used the search query following you like this:
index=_internal error | stats count by host
| appendpipe [|rest/services/deployment/server/clients | table hostname ip | rename hostname As host ]
| stats values(*) AS * BY host
| eval host=if(isnotnull(ip), ip, host)
| fields host count
And the result is looks like this:
host count
10.6.10.132 12834
aojie654-splunk-aab4 2806
sja-q-sh0-110 80
10.6.11.10 14
10.6.10.111 10
It looks like the fowarders result is good and the indexers and search head is still display their hostname, any idea to replace their hostname with IP?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index=_internal error
| stats count by host
| append
[|rest/services/deployment/server/clients
| table hostname ip
| rename hostname As host]
| stats values(*) AS * BY host
| eval host=coalesce(ip, host)
| fields host count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And if you still have problems, SEE MY OTHER ANSWER!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'll using python to replace hostname with IP and thanks a lot for you help ^_^
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then why did you ask a question that has absolutely nothing to do with what you really are doing and need?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The easiest way is just to do a DNS lookup by adding this to your search:
... | lookup dnslookup clientip AS host
