Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 37
  • Last Modified:

Splunk simple search

How can I find all traffic logged from 172.18.128 using Splunk search? This much be the simplest thing. But I can't get the dern thing to return a thing!
ScrnGrab2313-170929-12.56.jpg
ScrnGrab2314-170929-12.57.jpg
ScrnGrab2315-170929-12.58.jpg
0
amigan_99
Asked:
amigan_99
  • 3
  • 3
2 Solutions
 
btanExec ConsultantCommented:
Probably not due to (only) search string ... and there are other factors ...

a) Maybe can do a quick try src="172.18.128.*" OR dst="172.18.128.*" or even some IP (w/o wildcard) that you know will hit. This is just to confirm it is not a empty scan count (number of events that are scanned or read off disk)

b) Check Settings -> Indexes to make sure there's events in the indexes. And check index=_internal log_level=ERROR to see if there's a problem. Was know that search.log may be deleted and added it again with a new index instead of the default index. The latter may cause such issue at time (one instance here)

c)  Free version (especially after the trial expires) of Splunk has an indexing limit of 500 Mb per day. If you index above your licensing limit more than 3 times in a 30 day window on the free version, the search functionality becomes disabled until you either get an unlock key, input a new license or one of the violations rolls past the 30 day window and your total licensing violations fall to 3 or less.
0
 
amigan_99Author Commented:
So here are examples of what started working for me:

index="vmwarensx" AND "DROP" AND "TCP 10.32.14.31"

(index="pan_logs" OR index="juniper_logs" OR index="aws_vpc_flow_logs" OR index="vmwarensx") AND "10.3.12.25"
0
 
btanExec ConsultantCommented:
Thanks for sharing. So does it still work out for the wildcard scenarios as mentioned in question?
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
amigan_99Author Commented:
No - and I just tried again say 172.2.163.*. Specifying the index seems important and quotes around the search term. It's super fast so that's a big plus.
0
 
btanExec ConsultantCommented:
If another address such as 10.32.14.* is used which it should have a hit but not working then it seems there is issue this s/w. It can be due to other factor as I shared earlier.
0
 
amigan_99Author Commented:
Thanks much btan for helping me with yet another issue.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now