topic tstat with dnslookup does not return the fqdn for an IP value in Splunk Search

tstat with dnslookup does not return the fqdn for an IP value

wmoy — Wed, 30 Sep 2020 00:25:36 GMT

Hello,

I have the following tstats query that I do not understand why it is not returning the FQDN

Here's the query I started off with that works:

| tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log. src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| table host,src_zone,src_ip,dest_zone,dest_ip,dest_port

In the following query, I want to resolve both the 'src_ip' and 'dest_ip' to a FQDN but is not working with no error notification or any indication the matched event counter was incrementing.

|tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log.src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port

If I run a similar command, the 'dnslookup' works.

 index=* sourcetype=*  vendor_action!=allow 
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip  output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port

Re: tstat with dnslookup does not return the fqdn for an IP value

MuS — Sun, 05 May 2019 20:14:01 GMT

Just guessing here, did you check if the field log.src_ip is numeric in the datamodel?

cheers, MuS

Re: tstat with dnslookup does not return the fqdn for an IP value

woodcock — Sun, 05 May 2019 23:00:00 GMT

I ran your exact search but I inserted a | head 10 after the | rename to speed it up and it worked fine; does yours work better if you limit the results this way?

Re: tstat with dnslookup does not return the fqdn for an IP value

wmoy — Thu, 09 May 2019 13:14:15 GMT

To answer my own question... after trying a number of different things ... turns out that the SPL syntax was fine.
What was happening was the number of results returned from the tstat for a 24hr window caused a huge resource consumption on search head.
I ended up running a dedup and reducing the time window to 10 mins to get the query returning the fqdn from dnslookup.

Re: tstat with dnslookup does not return the fqdn for an IP value

wmoy — Thu, 09 May 2019 13:15:30 GMT

Yes, log.src_ip is numeric in the datamodel

Re: tstat with dnslookup does not return the fqdn for an IP value

wmoy — Thu, 09 May 2019 13:18:55 GMT

Good idea and that lead me to answering my own question that I've just posted.

Thanks.

Re: tstat with dnslookup does not return the fqdn for an IP value

richgalloway — Thu, 09 May 2019 14:43:28 GMT

@wmoy If your problem is resolved, please accept the answer to help future readers.

Re: tstat with dnslookup does not return the fqdn for an IP value

woodcock — Thu, 09 May 2019 15:21:08 GMT

Don't forget to UpVote and click Accept on your answer.