Splunk simple search

How can I find all traffic logged from 172.18.128 using Splunk search? This much be the simplest thing. But I can't get the dern thing to return a thing!
ScrnGrab2313-170929-12.56.jpg
ScrnGrab2314-170929-12.57.jpg
ScrnGrab2315-170929-12.58.jpg
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Probably not due to (only) search string ... and there are other factors ...

a) Maybe can do a quick try src="172.18.128.*" OR dst="172.18.128.*" or even some IP (w/o wildcard) that you know will hit. This is just to confirm it is not a empty scan count (number of events that are scanned or read off disk)

b) Check Settings -> Indexes to make sure there's events in the indexes. And check index=_internal log_level=ERROR to see if there's a problem. Was know that search.log may be deleted and added it again with a new index instead of the default index. The latter may cause such issue at time (one instance here)

c)  Free version (especially after the trial expires) of Splunk has an indexing limit of 500 Mb per day. If you index above your licensing limit more than 3 times in a 30 day window on the free version, the search functionality becomes disabled until you either get an unlock key, input a new license or one of the violations rolls past the 30 day window and your total licensing violations fall to 3 or less.
0
amigan_99Network EngineerAuthor Commented:
So here are examples of what started working for me:

index="vmwarensx" AND "DROP" AND "TCP 10.32.14.31"

(index="pan_logs" OR index="juniper_logs" OR index="aws_vpc_flow_logs" OR index="vmwarensx") AND "10.3.12.25"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Thanks for sharing. So does it still work out for the wildcard scenarios as mentioned in question?
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

amigan_99Network EngineerAuthor Commented:
No - and I just tried again say 172.2.163.*. Specifying the index seems important and quotes around the search term. It's super fast so that's a big plus.
0
btanExec ConsultantCommented:
If another address such as 10.32.14.* is used which it should have a hit but not working then it seems there is issue this s/w. It can be due to other factor as I shared earlier.
0
amigan_99Network EngineerAuthor Commented:
Thanks much btan for helping me with yet another issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.