Getting Data In

How to get the host IP address from the search?

abassydo2018
Explorer

Hello,

I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise

index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip

source↕

 host↕

/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log      gtmwalldmzsp1  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt  
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log     ltmdmzwall01mgmt 

0 Karma
1 Solution

abassydo2018
Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

View solution in original post

abassydo2018
Explorer

I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.

index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason

Thank you guys, I really appreciate your help and support. You guys are just too great.

niketn
Legend

@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

abassydo2018
Explorer

Thank you NiketNilay

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).

abassydo2018
Explorer

Yes, I think so.

2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199

host = gtmwalldmzsp1

source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log

sourcetype = syslog

0 Karma

dflodstrom
Builder

The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip If you're not seing any values in host_ip perhaps the field has a different name.

0 Karma

jodyfsu
Path Finder

I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?.[^\s]+)"
| table source host host_ip

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...