Solved: How do you include host IP address in the followin...

rbrisseyii · ‎11-06-2018

Hello,

All our servers should have more than 2 apps installed. We run this report for a list of systems missing apps:

| rest /services/deployment/server/clients splunk_server=local| table hostname applications*.stateOnClient | untable hostname applications value | stats count by hostname | where count < 3

However, I would also like to include the host's IP address in this, but I can't figure out how to include it.

Any pointers or better ways to go about this?

KailA · ‎11-06-2018

Hey !
I think you just missed the ip field.

Can you try something like that

| rest /services/deployment/server/clients splunk_server=local 
| table hostname applications*.stateOnClient ip
| eval hostname = hostname."___".ip
| untable hostname applications value 
| stats count by hostname 
| where count < 3
| rex field=hostname "(?<hostname>.*)___(?<ip>.*)"

Let me know if it works for you.

Kail

View solution in original post

KailA · ‎11-06-2018

Hey !
I think you just missed the ip field.

Can you try something like that

| rest /services/deployment/server/clients splunk_server=local 
| table hostname applications*.stateOnClient ip
| eval hostname = hostname."___".ip
| untable hostname applications value 
| stats count by hostname 
| where count < 3
| rex field=hostname "(?<hostname>.*)___(?<ip>.*)"

Let me know if it works for you.

Kail

How do you include host IP address in the following Splunk search?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...