Hello,
I will like to see the IP address of the host in this search result. I do not know what I am doing wrong. Please help and advise
index="f5_syslog" sourcetype=syslog source dest=* unix_category=all_hosts | table source host host_ip
source↕
host↕
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log gtmwalldmzsp1
/opt/data/splunk/gtmwalldmzsp1/2018-06-01.log gtmwalldmzsp1
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log ltmdmzwall01mgmt
/opt/data/splunk/ltmdmzwall01mgmt/2018-06-01.log ltmdmzwall01mgmt
I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.
index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason
Thank you guys, I really appreciate your help and support. You guys are just too great.
I got the result I wanted. I needed to go into the LB to check for the pool-name adn the status of the members of the LB. Then I added the values to the field and I got the Result I wanted.
index="device_name" unix_category=all_hosts pool_name="pool-name" | spath address | table host address session_status status_reason
Thank you guys, I really appreciate your help and support. You guys are just too great.
@abassydo2018, I have converted your comment to Answer. Please accept the same to mark this question as answered and benefit other users facing similar issue in future!
Thank you NiketNilay
Is the host ip being logged in your raw data/events? Could you share some sample log entry (mask anything that's sensitive like IP address, host names etc).
Yes, I think so.
2018-05-30T06:20:12-04:00 gtmwalldmzsp1 info logger: [ssl_req][30/May/2018:06:20:12 -0400] 192.168.137.64 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "/cgi-bin/view-source" 199
host = gtmwalldmzsp1
source = /opt/data/splunk/gtmwalldmzsp1/2018-06-01.log
sourcetype = syslog
The IP address appears in the raw event but is it being parsed out into a field? In your search you're making a table with these fields | table source host host_ip
If you're not seing any values in host_ip perhaps the field has a different name.
I agree with dflodstrom, if the IP address is not being placed into a field already, you can use rex to do it:
| rex "info\slogger:\s[.[^]]+][.[^]]+]\s(?
| table source host host_ip