Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to export IPs of all hosts logging to a specific index to a text file, and can we choose where this file is exported to?

sdorsey15
New Member
‎12-09-2015 06:14 PM

Hello all - hoping this isn't too difficult.

I am looking to export the IP addresses of all hosts logging to a specific index to a text file. I have this:

| metadata type=hosts index=[example index] | stats count by host

But this shows the name of the host. When I manually look through the logs, I don't see the source IP as a field. Just the hostname configured in the outputs.conf of each machine.

Then the second part is exporting them to a text file; is this accurate? 

outputtext usexml=false | rename _xml as raw | fields raw | fields - _* | outputcsv results.txt

I believe this will export it to $SPLUNK_HOME/var/run/splunk/results.txt. Is it possible to change where it exports the txt file? I would like the text file placed in the Splunk web dir so the text file is hosted and can be queried by other devices.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎12-11-2015 02:02 AM

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jplumsdaine22
Influencer
‎12-11-2015 02:02 AM

You can get the ip addresses into a file with just the following search

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | fields clientip | outputcsv results.csv

The documentation states that you can't change the location. http://docs.splunk.com/Documentation/Splunk/6.3.1511/SearchReference/Outputcsv
See comment below regarding cron

0 Karma
Reply
Solved! Jump to solution

sdorsey15
New Member
‎12-11-2015 07:15 AM

Thanks! I ran this search but the resulting text file just contains one line that says "clientip".

I verified |metadata type=hosts index= correctly lists all of the hosts reporting to that index.

0 Karma
Reply
Solved! Jump to solution

jplumsdaine22
Influencer
‎12-11-2015 07:33 AM

I may have done the lookup incorrectly

Make sure you are getting values for 

|metadata type=hosts index=<example index> | lookup dnslookup clienthost as host OUTPUT clientip | table host clientip

If the clientip field is blank for all your hosts, have you tried resolving the hostname manually on your server?

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-11-2015 02:35 AM

You cant change the location of the output. You would need to cron and script a move of that file somewhere...

Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...