Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a Splunk query to find the client ip addresses for a list of usernames?

tksre
New Member
‎02-13-2018 03:38 PM

I have a list of about 200 userids for which I want to fetch the client ip address (from which they logged on )- is there a query for that ?

Tags (3)
0 Karma
Reply

pyro_wood
SplunkTrust
SplunkTrust
‎02-13-2018 04:15 PM

Hi tksre,

If you have a lookup table in CSV format you are able to add it to Splunk and use the lookup command to match users and output their IP address.

Your lookup-table should look like the following. (example)

user, ip
marc, 19.14.25.120
fred, 128.21.15.199
bob, 120.249.2.14

Use this documentation to upload and add that lookup table to splunk:
https://docs.splunk.com/Documentation/Splunk/7.0.2/Knowledge/ConfigureCSVlookups

You can then use the lookup command to get the required data.

Example-Statement: index=example username=* | lookup nameofmylookuptable user AS username OUTPUT ip
The example assumes that the user in your eventdata is stored in a field called "username"

Further documentation:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Lookup

0 Karma
Reply
The Latest From the Splunk Community!