Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Splunk Web, can I search a specific host name or IP address that returns the “Identified UF Version” of that system?

Splunk0n
New Member
‎12-06-2016 09:13 AM

Hello Splunkers - Using Splunk Web, can I search/index a specific host name or IP address that returns the “Identified UF Version” of that system? The Universal Forwarder 6.4 is already installed. Any assistance would be greatly appreciated, thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

coltwanger
Contributor
‎12-06-2016 09:38 AM

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

coltwanger
Contributor
‎12-06-2016 09:38 AM

Try something like this, but replace sourceHost with your IP address:

index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=10.1.1.1 
| eval Hostname=if(isnull(hostname), sourceHost,hostname) 
| eval version=if(isnull(version),"pre 4.2",version) 
| eval architecture=if(isnull(arch),"n/a",arch) 
| stats count by Hostname version architecture 
| sort + version
0 Karma
Reply
Solved! Jump to solution

Splunk0n
New Member
‎12-08-2016 08:08 AM

Hello coltwanger - thank for your guidance. I have tried your suggestions but no results. I am new to Splunk but not a SME yet 🙂
Assuming my IP is 123.45.6.78, can you be more specific how I can index that systems?
I know its probably an elementary question so please bare with me, thank you.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎12-08-2016 01:13 PM

@Splunk0n - I don't think it was your intention, but I scrubbed the IP address you initially used since it points to an actual location. I anonymized the IP address in your and coltwanger's comments. Please keep in mind that Splunk Answers is a public forum so please take extra care as to not accidentally reveal sensitive information specific to you, your company, and/or customers. Thanks 🙂

0 Karma
Reply
Solved! Jump to solution

coltwanger
Contributor
‎12-08-2016 11:37 AM

This search should return the information regarding that particular IP address:

 index="_internal" sourcetype=splunkd group=tcpin_connections NOT eventType=* sourceHost=123.45.6.78 
 | eval Hostname=if(isnull(hostname), sourceHost,hostname) 
 | eval version=if(isnull(version),"pre 4.2",version) 
 | eval architecture=if(isnull(arch),"n/a",arch) 
 | stats count by Hostname version architecture 
 | sort + version
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...