Getting Data In

Using Splunk Web, can I search a specific host name or IP address that returns the “Identified UF Version” of that system?

Splunk0n
New Member

Hello Splunkers - Using Splunk Web, can I search/index a specific host name or IP address that returns the “Identified UF Version” of that system? The Universal Forwarder 6.4 is already installed. Any assistance would be greatly appreciated, thank you.

0 Karma
1 Solution

coltwanger
Contributor

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version

View solution in original post

0 Karma

coltwanger
Contributor

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version
0 Karma

Splunk0n
New Member

Hello coltwanger - thank for your guidance. I have tried your suggestions but no results. I am new to Splunk but not a SME yet 🙂
Assuming my IP is 123.45.6.78, can you be more specific how I can index that systems?
I know its probably an elementary question so please bare with me, thank you.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@Splunk0n - I don't think it was your intention, but I scrubbed the IP address you initially used since it points to an actual location. I anonymized the IP address in your and coltwanger's comments. Please keep in mind that Splunk Answers is a public forum so please take extra care as to not accidentally reveal sensitive information specific to you, your company, and/or customers. Thanks 🙂

0 Karma

coltwanger
Contributor

This search should return the information regarding that particular IP address:

 index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=123.45.6.78 
 | eval Hostname=if(isnull(hostname), sourceHost,hostname) 
 | eval version=if(isnull(version),"pre 4.2",version) 
 | eval architecture=if(isnull(arch),"n/a",arch) 
 | stats count by Hostname version architecture 
 | sort + version
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...