My team has a growing interest in looking at geo location as a function of client IP address. I've installed a plugin to help with this, but I was a bit stunned to realize that none of my HEC records have the client's IP address (or the source IP) in them.
Is there a way to configure Splunk so that it records the client IP in the record metadata? I would like the server to obtain this information from the HTTP connection rather than have the clients report this information voluntarily since most of my clients won't know their actual WAN IP address (they're behind firewalls).
I see that my HEC records have "splunk_server" in them which is kinda' funny since (it seems to me) that Splunkers would be far more interested in the ORIGIN of the record rather than DESTINATION of the record.
↧