- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: how to get user system ip
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to get user system ip
Hi ,
I am trying to track who all using splunk and ip address of there system.I found this query
index=_audit action="login attempt" info="succeeded" | JOIN type=left date_year date_month date_mday date_hour date_minute date_second [ search index=_internal "POST /en-US/account/login HTTP/1.1" | fields date_year date_month date_mday date_hour date_minute date_second clientip] | eval newfield = if(isnull(clientip), 1, 0) | search newfield=0 | table clientip user _time
But it is not returning the system ip.It is showing splun base ip.How to convert it to the real system IP address.Is it possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The events in the _audit index do not have this information. You could grab it from the _internal index pretty easily though:
index=_internal sourcetype=splunk_web_service action=login status=success | table _time clientip user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks ayn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In that case I refer you to the comment I wrote about proxy/NAT effects.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes it is browser issue.I already found that query.But that client ip which showing is not the real system ip address of host which accessing my server.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's in the code box in my original answer. You might want to switch browsers or something if you're not seeing it, it's fully visible 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes Ayn.can you put that in comment
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What are you not able to see, my search?
The IP addresses listed by Splunk at least in the search I wrote is the IP addresses Splunk "sees" - if you have a NAT or proxy that your clients connect to Splunk through, there's no way for Splunk to see what IP address the actual source system has.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
iam not able to see what you quoted here.My problem is like iam able to get the ip address of my system like
user clientip
admin 127.x.x but my ip adress is 16x.x.x.x
and those who have logged in my sever iam getting those ip address as 16x.x.x.x
but it is not the true system ip.
Iam excpecting ouputlike
USER SystemIP
Admin 16x.x.x.x
user1 16x.x.u.i
user2 16g.g.g.g
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
