Splunk Search

How to search and table IP addresses to see which ones are active?

m8733
Explorer

Hello,
I am trying to do a complex search for almost 500 IP addresses to see which ones are active. My query looks like this:
index=DEVICE | table srcip IP OR IP OR IP and so on.
However; the table with the source iP addresses that I got back has IP address for each event. Is there anyone to get the IP address only once to check if it's active or not? Also, I am not sure if there is any efficient query that I could use instead of all ORs?

Tags (2)

m8733
Explorer

I ran this one as well. Thanks.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Like this:

index=DEVICE (src_ip="1.1.1.1" OR src_ip="1.1.1.2" OR src_ip="1.1.1.3" OR ...) | stats count by src_ip

m8733
Explorer

Thank for your reply. How would the query look like if I want to type in the IP addresses instead of using .csv file?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

I'm asking for sample data because I don't understand what ... | table srcip IP OR IP OR IP is meant to do. Neither do I know what kind of data you have in your DEVICE index.

Take a few lines of your source file, anonymize sensitive data, and paste it here.

m8733
Explorer

Sample data?
That's my query
index=DEVICE (source device) | table srcip IP OR IP OR IP
I am getting a table with source IP address from each even. I am trying to remove duplicates.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Could you post some sample data?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...