Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a Splunk query to find the client ip addresses for a list of usernames?

tksre
New Member
‎02-13-2018 03:38 PM

I have a list of about 200 userids for which I want to fetch the client ip address (from which they logged on )- is there a query for that ?

Tags (3)
0 Karma
Reply

horsefez
Motivator
‎02-13-2018 04:15 PM

Hi tksre,

If you have a lookup table in CSV format you are able to add it to Splunk and use the lookup command to match users and output their IP address.

Your lookup-table should look like the following. (example)

user, ip
marc, 19.14.25.120
fred, 128.21.15.199
bob, 120.249.2.14

Use this documentation to upload and add that lookup table to splunk:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureCSVlookups

You can then use the lookup command to get the required data.

Example-Statement: index=example username=* | lookup nameofmylookuptable user AS username OUTPUT ip
The example assumes that the user in your eventdata is stored in a field called "username"

Further documentation:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Lookup

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...