Alerting

Adding a field from workflow

a_n
Path Finder

Hi,

I have a firewall log in which some of the destinations do not have SNI, but I have their IPs.

I want to create/extract a new field from destination to get the destination details, for example the Resolve Host or the Organization.

Can someone please advise if this is possible and how?
Thank you in advance.

Labels (1)
Tags (1)
0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Basically there are two way to do it.

  1. Lookup (file / kv store)
  2. external command which do dns lookup

https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/td-p/72304

1st one needs that you are keeping up separate ip vs nsi mappings in csv file or in kvstore and update it regular base.

2nd one needs separate command to do it and if/when you have lot of IPs it could take a long time. You can start with this https://splunkbase.splunk.com/app/1535/

r. Ismo

View solution in original post

isoutamo
SplunkTrust
SplunkTrust
Hi
I think that this can do. Can you post sample events which you have?
r. Ismo
0 Karma

a_n
Path Finder

Hello ,

search is like:

index=FW 
|stats count by Src,Dst,sni

results are like:

192.168.1.12    2.23.259.24   assets.msn.com

192.168.1.20    3.68.77.130   

in the second row, the sni is empty. using a workflow, I can get the info of this IP (Amazon Technologies) but I have 2 issues:
1- I just need to get back single field (for example: Organization)
2- I want to be able to have this field (result of the workflow OR kind of External web lookup!) available in my reports and search results, like an extracted field.

Thank you in advance for your kind support.

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Basically there are two way to do it.

  1. Lookup (file / kv store)
  2. external command which do dns lookup

https://community.splunk.com/t5/Splunk-Search/DNS-Lookup-via-Splunk/td-p/72304

1st one needs that you are keeping up separate ip vs nsi mappings in csv file or in kvstore and update it regular base.

2nd one needs separate command to do it and if/when you have lot of IPs it could take a long time. You can start with this https://splunkbase.splunk.com/app/1535/

r. Ismo

a_n
Path Finder

Thank you sir!

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...