- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Search for an adjacent IP address
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi.
I have an alert that'll tell me if a host is down, and it runs for both Active and Standby hosts.
The issue is that when the standby host hasn't received a log, I'd like to run a search to see if the active host has received a log in the last 24 hours, and if so to ignore it.
I can run a search for all IPs, but what I cant seem to do is see if 198.0.0.2 is down, to check for 198.0.0.1 (the Active is always -1 from Standby)
I thought something like this might work, but no.
index=* host=*
[search index="*" host=198.0.0.2
|rex field=host "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"
|eval Host2 = (Host-1)
|eval newhost= Net. "." .Host2
|fields newhost]
|where host=newhost
any and all help appreciated
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, that makes sense, and |format helped me realise it wasn't pulling through right.
That lead me onto this.
index="*" host = *
| eval standbyhost = "198.0.0.2"
| rex field=standbyhost "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"
| eval Host2 = (Host-1)
| eval newhost= Net. "." .Host2
| where host = newhost
I create a new field "standbyhost" that is the value of the standby host I already know. I apply this to all results.
Then I do maths to lower this IP by 1, and create the new field newhost.
Now every rsult has their host as their own host IP, but the field newvalue of the target I'm looking for.
Then its just a where host=newhost to find it.
Seeing as this will actually pull the value of standbyhost from a field in an alert, I think this'll work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk has a hard time finding things that aren't there. In this case, if host 198.0.0.2 isn't found then there will be no host field from which to extract sub-fields and, so, no newhost field.
If you run the subsearch by itself with "| format" added then you'll see what it returns to the main search.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, that makes sense, and |format helped me realise it wasn't pulling through right.
That lead me onto this.
index="*" host = *
| eval standbyhost = "198.0.0.2"
| rex field=standbyhost "(?<Net>\d+\.\d+\.\d+)\.(?<Host>\d+)"
| eval Host2 = (Host-1)
| eval newhost= Net. "." .Host2
| where host = newhost
I create a new field "standbyhost" that is the value of the standby host I already know. I apply this to all results.
Then I do maths to lower this IP by 1, and create the new field newhost.
Now every rsult has their host as their own host IP, but the field newvalue of the target I'm looking for.
Then its just a where host=newhost to find it.
Seeing as this will actually pull the value of standbyhost from a field in an alert, I think this'll work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
If this reply helps you, Karma would be appreciated.
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
