Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to find IP addresses events are coming from to verify if multiple VMs are under a single hostname?

di2esysadmin
Path Finder
‎08-19-2014 11:53 AM

I suspect that multiple VMs (as yet unconfigured in our environment) are getting lumped together in the index under a single hostname ("unconfigured-win2008r2"). I'd like to verify this by finding the IP addresses that these events are coming from.

How do I do this?

thanks.

Tags (2)
0 Karma
Reply

BP9906
Builder
‎08-19-2014 01:31 PM

I have a search labeled for this reason.
Splunk - Multiple machine reporting as same host (runs every 60m -1h@h - now)

I found that the RHEL kickstart with our splunkforwarder rpm always puts localhost in server.conf and inputs.conf so I have to go change it in etc/system/local. Alternatively, we get systems folks who duplicate servers (virtual), change server name, and dont tell me. This search handles all of the above.


index=internal sourcetype=splunkd hostname="*" | rex "(?i)hostname=(?P[\w-]+)" | stats count values(sourceIp) dc(sourceIp) as dup dc(guid) as dup_guid by agentname| where (agentname="localhost" OR dup>1 OR dup_guid>1) | search NOT (agentname="server1" OR agentname="server2")

server1 and server2 are known servers that have 2 or more IPs. This allows me to ignore servers with these names.

0 Karma
Reply

ppeterson
Path Finder
‎10-13-2016 06:20 AM

Did anyone get this regex to work?

0 Karma
Reply

BP9906
Builder
‎10-13-2016 06:43 AM

The above search I posted resolved my issue.

0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2014 12:29 PM

Assuming that those VMs are hosting forwarder to send the data, they should be sending heartbeat to Splunk Indexer, which contains IP. Try this

index=_internal group="tcpin_connections" | table hostname sourceHost | dedup  hostname sourceHost
0 Karma
Reply

somesoni2
Revered Legend
‎08-19-2014 01:54 PM

I believe the hostname may not be available in all events (sometime just the IP is logged). Try these and see if you can get host name in any of the event.

index=internal group=tcp* OR group=per* OR group=ds_* | table *host* *Host* *ip* *Ip* *IP*

0 Karma
Reply

di2esysadmin
Path Finder
‎08-19-2014 01:26 PM

This is interesting. The hostname I'm suspicious of doesn't even appear in the resultant table. Why would that be?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-19-2014 12:07 PM

You'll need to find the field(s) in your index that contain IP addresses. One way to do that is

<your search> | fields - _* | table *

This will list all of the fields available to you (except _raw, _time, etc.) and their values. Look through the table for meaningful values and then add the fields to your query.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

di2esysadmin
Path Finder
‎08-19-2014 01:43 PM

For these apparently windows hosts, my query didn't include any IP addresses. Actually I tried this with a handful of centos hosts too. No IP addresses either.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...