Is there a Splunk query to find the client ip addr...

tksre · ‎02-13-2018

I have a list of about 200 userids for which I want to fetch the client ip address (from which they logged on )- is there a query for that ?

horsefez · ‎02-13-2018

Hi tksre,

If you have a lookup table in CSV format you are able to add it to Splunk and use the lookup command to match users and output their IP address.

Your lookup-table should look like the following. (example)

user, ip
marc, 19.14.25.120
fred, 128.21.15.199
bob, 120.249.2.14

Use this documentation to upload and add that lookup table to splunk:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureCSVlookups

You can then use the lookup command to get the required data.

Example-Statement: index=example username=* | lookup nameofmylookuptable user AS username OUTPUT ip
The example assumes that the user in your eventdata is stored in a field called "username"

Further documentation:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Lookup

Is there a Splunk query to find the client ip addresses for a list of usernames?

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars

Are you a member of the Splunk Community?

Is there a Splunk query to find the client ip addresses for a list of usernames?

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

AppDynamics Summer Webinars