All Apps and Add-ons

Does the Splunk Add-on for Microsoft Windows have a way to poll the IP address of Windows universal forwarders?

nbowman
Path Finder

I would like to get the IP address of my Windows universal forwarders.

[WinHostMon://NetworkAdapter] doesn't give an IP, just MAC address.

[WinNetMon://inbound] and [WinNetMon://outbound] give an IP address, but it is also very noisy.

Does the Splunk Add-on for Microsoft Windows have a way to poll the UF IP using an interval?

0 Karma

mbrunetto
Path Finder

I'm looking for something similar to this, but the solution given won't work. I need to know the IP address list associated with each MAC address on my servers. For unix, the interfaces type provides a nice table that works. Anything with this capability in windows?

0 Karma

c_boggs
Explorer

I think you could write and deploy a simple scripted input to just run "ipconfig /all" and index the results. May take some scripting to get it into a nicer format, but I honestly don't think this capability already exists in the Windows TA.

0 Karma

Richfez
SplunkTrust
SplunkTrust

I don't think the answer you are after is where you are looking. However, this information IS in Splunk:

index=_internal source=*metrics.log group=tcpin_connections| stats count(_time) AS checkins, latest(_time) AS last_checkin by sourceHost, sourceIp

Obviously, that's just a sample or example - I don't know the purpose you want to put it to or how you want to use it so I just guessed as some small but reasonable search to show. Hopefully this will help you get started. Also, if you search for something like "splunk list forwarders" you'll get more answers, questions and blog entries on this topic.

0 Karma

nbowman
Path Finder

Yea, I suppose that would somewhat work. I was hoping to use the Splunk for Windows App to get all network adapters information in full. IP and MAC and DNS, etc.

0 Karma

Richfez
SplunkTrust
SplunkTrust

Sorry, I think I distracted myself with the "app for windows" portion. 😞

There should be both in the events themselves. Check, for instance, src_ip. src_ip, src_domain and src_nt_host are all available which tells you a lot.

Field names may vary - do the "show more fields" (because there's probably a LOT more available than are showing) and in there you can search for "ip" and it should tell you what fields are available for use.

0 Karma

nbowman
Path Finder

Hmm, I'm not seeing src_ip and src_nt_host.

These are the inputs that I have enabled:

###### OS Logs ######
[WinEventLog://Security]
disabled = 0

[WinEventLog://Application]
disabled = 0

[WinEventLog://System]
disabled = 0

###### Host monitoring ######
[WinHostMon://NetworkAdapter]
disabled = 0

###### Network monitoring ######
[WinNetMon://inbound]
disabled = 0

[WinNetMon://outbound]
disabled = 0

Any ideas?

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...