Getting Data In

Using Splunk Web, can I search a specific host name or IP address that returns the “Identified UF Version” of that system?

Splunk0n
New Member

Hello Splunkers - Using Splunk Web, can I search/index a specific host name or IP address that returns the “Identified UF Version” of that system? The Universal Forwarder 6.4 is already installed. Any assistance would be greatly appreciated, thank you.

0 Karma
1 Solution

coltwanger
Contributor

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version

View solution in original post

0 Karma

coltwanger
Contributor

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version
0 Karma

Splunk0n
New Member

Hello coltwanger - thank for your guidance. I have tried your suggestions but no results. I am new to Splunk but not a SME yet 🙂
Assuming my IP is 123.45.6.78, can you be more specific how I can index that systems?
I know its probably an elementary question so please bare with me, thank you.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@Splunk0n - I don't think it was your intention, but I scrubbed the IP address you initially used since it points to an actual location. I anonymized the IP address in your and coltwanger's comments. Please keep in mind that Splunk Answers is a public forum so please take extra care as to not accidentally reveal sensitive information specific to you, your company, and/or customers. Thanks 🙂

0 Karma

coltwanger
Contributor

This search should return the information regarding that particular IP address:

 index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=123.45.6.78 
 | eval Hostname=if(isnull(hostname), sourceHost,hostname) 
 | eval version=if(isnull(version),"pre 4.2",version) 
 | eval architecture=if(isnull(arch),"n/a",arch) 
 | stats count by Hostname version architecture 
 | sort + version
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...