Splunk Search

how to get user system ip

john
Communicator

Hi ,

I am trying to track who all using splunk and ip address of there system.I found this query
index=_audit action="login attempt" info="succeeded" | JOIN type=left date_year date_month date_mday date_hour date_minute date_second [ search index=_internal "POST /en-US/account/login HTTP/1.1" | fields date_year date_month date_mday date_hour date_minute date_second clientip] | eval newfield = if(isnull(clientip), 1, 0) | search newfield=0 | table clientip user _time

But it is not returning the system ip.It is showing splun base ip.How to convert it to the real system IP address.Is it possible.

Tags (3)
0 Karma

Ayn
Legend

The events in the _audit index do not have this information. You could grab it from the _internal index pretty easily though:

index=_internal sourcetype=splunk_web_service action=login status=success | table _time clientip user

john
Communicator

thanks ayn

0 Karma

Ayn
Legend

In that case I refer you to the comment I wrote about proxy/NAT effects.

0 Karma

john
Communicator

yes it is browser issue.I already found that query.But that client ip which showing is not the real system ip address of host which accessing my server.

0 Karma

Ayn
Legend

It's in the code box in my original answer. You might want to switch browsers or something if you're not seeing it, it's fully visible 🙂

0 Karma

john
Communicator

yes Ayn.can you put that in comment

0 Karma

Ayn
Legend

What are you not able to see, my search?

The IP addresses listed by Splunk at least in the search I wrote is the IP addresses Splunk "sees" - if you have a NAT or proxy that your clients connect to Splunk through, there's no way for Splunk to see what IP address the actual source system has.

0 Karma

john
Communicator

iam not able to see what you quoted here.My problem is like iam able to get the ip address of my system like

user clientip
admin 127.x.x but my ip adress is 16x.x.x.x

and those who have logged in my sever iam getting those ip address as 16x.x.x.x
but it is not the true system ip.

Iam excpecting ouputlike

USER SystemIP
Admin 16x.x.x.x
user1 16x.x.u.i
user2 16g.g.g.g

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...