I am trying to track who all using splunk and ip address of there system.I found this query
index=audit action="login attempt" info="succeeded" | JOIN type=left dateyear datemonth datemday datehour dateminute datesecond [ search index=internal "POST /en-US/account/login HTTP/1.1" | fields dateyear datemonth datemday datehour dateminute datesecond clientip] | eval newfield = if(isnull(clientip), 1, 0) | search newfield=0 | table clientip user _time
But it is not returning the system ip.It is showing splun base ip.How to convert it to the real system IP address.Is it possible.
The events in the
_audit index do not have this information. You could grab it from the
_internal index pretty easily though:
index=_internal sourcetype=splunk_web_service action=login status=success | table _time clientip user
What are you not able to see, my search?
The IP addresses listed by Splunk at least in the search I wrote is the IP addresses Splunk "sees" - if you have a NAT or proxy that your clients connect to Splunk through, there's no way for Splunk to see what IP address the actual source system has.
iam not able to see what you quoted here.My problem is like iam able to get the ip address of my system like
admin 127.x.x but my ip adress is 16x.x.x.x
and those who have logged in my sever iam getting those ip address as 16x.x.x.x
but it is not the true system ip.
Iam excpecting ouputlike