You might need to identify an IP address based on a host name when doing the following:
In order to execute this procedure in your environment, the following data, services, or apps are required:
- Splunk Enterprise or Splunk Cloud Platform
- System log data
A Windows desktop has been infected by ransomware, and you need to identify the IP address of the infected machine as part of your investigation.
To optimize the search shown below, you should specify an index and a time range.
- Run the following search:
- In the field sections on the left, find and click sourcetype.
- Click the value with the highest count to add it to the search.
- In the field sections on the left, find and click src_ip.
This search returns the IP address most likely associated with the host name of the infected machine.