I have a search labeled for this reason.
Splunk - Multiple machine reporting as same host (runs every 60m -1h@h - now)
I found that the RHEL kickstart with our splunkforwarder rpm always puts localhost in server.conf and inputs.conf so I have to go change it in etc/system/local. Alternatively, we get systems folks who duplicate servers (virtual), change server name, and dont tell me. This search handles all of the above.
index=internal sourcetype=splunkd hostname="*" | rex "(?i)hostname=(?P
server1 and server2 are known servers that have 2 or more IPs. This allows me to ignore servers with these names.
Did anyone get this regex to work?
The above search I posted resolved my issue.
Assuming that those VMs are hosting forwarder to send the data, they should be sending heartbeat to Splunk Indexer, which contains IP. Try this
index=_internal group="tcpin_connections" | table hostname sourceHost | dedup hostname sourceHost
I believe the hostname may not be available in all events (sometime just the IP is logged). Try these and see if you can get host name in any of the event.
index=internal group=tcp* OR group=per* OR group=ds_* | table *host* *Host* *ip* *Ip* *IP*
This is interesting. The hostname I'm suspicious of doesn't even appear in the resultant table. Why would that be?
You'll need to find the field(s) in your index that contain IP addresses. One way to do that is
<your search> | fields - _* | table *
This will list all of the fields available to you (except _raw, _time, etc.) and their values. Look through the table for meaningful values and then add the fields to your query.
For these apparently windows hosts, my query didn't include any IP addresses. Actually I tried this with a handful of centos hosts too. No IP addresses either.