Splunk simple search

How can I find all traffic logged from 172.18.128 using Splunk search? This much be the simplest thing. But I can't get the dern thing to return a thing!
ScrnGrab2313-170929-12.56.jpg
ScrnGrab2314-170929-12.57.jpg
ScrnGrab2315-170929-12.58.jpg
LVL 2
amigan_99Network EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Probably not due to (only) search string ... and there are other factors ...

a) Maybe can do a quick try src="172.18.128.*" OR dst="172.18.128.*" or even some IP (w/o wildcard) that you know will hit. This is just to confirm it is not a empty scan count (number of events that are scanned or read off disk)

b) Check Settings -> Indexes to make sure there's events in the indexes. And check index=_internal log_level=ERROR to see if there's a problem. Was know that search.log may be deleted and added it again with a new index instead of the default index. The latter may cause such issue at time (one instance here)

c)  Free version (especially after the trial expires) of Splunk has an indexing limit of 500 Mb per day. If you index above your licensing limit more than 3 times in a 30 day window on the free version, the search functionality becomes disabled until you either get an unlock key, input a new license or one of the violations rolls past the 30 day window and your total licensing violations fall to 3 or less.
0
amigan_99Network EngineerAuthor Commented:
So here are examples of what started working for me:

index="vmwarensx" AND "DROP" AND "TCP 10.32.14.31"

(index="pan_logs" OR index="juniper_logs" OR index="aws_vpc_flow_logs" OR index="vmwarensx") AND "10.3.12.25"
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
btanExec ConsultantCommented:
Thanks for sharing. So does it still work out for the wildcard scenarios as mentioned in question?
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

amigan_99Network EngineerAuthor Commented:
No - and I just tried again say 172.2.163.*. Specifying the index seems important and quotes around the search term. It's super fast so that's a big plus.
0
btanExec ConsultantCommented:
If another address such as 10.32.14.* is used which it should have a hit but not working then it seems there is issue this s/w. It can be due to other factor as I shared earlier.
0
amigan_99Network EngineerAuthor Commented:
Thanks much btan for helping me with yet another issue.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Management

From novice to tech pro — start learning today.