2 of 2 people found this helpful
Essentially DetectionIP/InsertionIP are ways of saying "this is where the data originated" and "this is the trusted endpoint that parsed it" (similar to Detection/InsertionTime). DetectionIP is a parsed field (from the log data/messages) unless it's not present, then it's the same value as InsertionIP (which is taken from the agent/manager's detected hostname/IP).
Yeah, having "IP" instead of "Name" or "Point" is a little confusing. LEM is also not doing name resolution on the data that is presented, it's literally what came in the logs - so if the log logs a Name, it'll be a name (like windows event logs) when you see it in the console (and when you search). There is some name resolution in the backend correlation engine to resolve this scenario (correlate events where an IP or name comes in the same field), but it's not exposed anywhere else.
Valid related question is where and when you might expect the resolution to take place - on the fly when you're searching, from the server or on the console?
So if I understanding your response correctly, I don't have a field I can use where I can always reliably get an IP address for the detecting node?
1 of 1 people found this helpful
Correct - as it is, there's no guarantee that any field will be an IP vs. name 100% of the time across 100% of devices. It depends on the data (log) source and agent node.