All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help converting raw text into a simple stats table showing hostname and destination

gabarrygowin
Path Finder
‎08-23-2017 06:33 PM

Hi all,

Thanks for reading. I've tried a bunch of the offerings in the >answers forum with no luck. Here's my effort:

Need the following raw text to convert into a simple stats table showing hostname and destination.

Raw text:
8/23/17
6:29:10.000 PM

Aug 23 18:29:10 asbcnspap02.gab.com 08/23/2017:18:29:10 asbcnspap02 0-PPE-1 : default TCP CONN_TERMINATE 23913664 0 : Source 10.XXX.XXX.29:443 - Destination 10.120.209.12:4911 - Start Time 08/24/2017:01:28:25 GMT - End Time 08/24/2017:01:29:10 GMT - Total_bytes_send 1 - Total_bytes_recv 1

Current search (not resolving):

index=infrastructure 10.120.213.29 | stats count by Source, Destination | lookup dnslookup clienthost OUTPUT clientip

Any help MUCH appreciated!

0 Karma
Reply

somesoni2
Revered Legend
‎08-23-2017 09:19 PM

Try like this

index=infrastructure 10.120.213.29 | stats count by Source, Destination | lookup dnslookup clientip as Source OUTPUT clienthost as Source_Host   | lookup dnslookup clientip as Destination OUTPUT clienthost as Destination_Host
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-24-2017 01:23 AM

Note that the search (before the first "|") resolves to index=infrastructure 10 AND 120 AND 213 AND 29, because the '.' is a minor segmenter, so it breaks up the IP address into four individual terms. Hence, it may not retrieve exactly what you need. (You can see the search being executed in the search.log, found in the Job Inspector, if you search for "Lispy")
Example:
08-24-2017 01:18:18.579 INFO UnifiedSearch - Expanded index search = ( index=infrastructure 10.120.213.29 )
08-24-2017 01:18:18.580 INFO UnifiedSearch - base lispy: [ AND 10 120 213 29 index::infrastructure ]

Docs for how to handle it here

0 Karma
Reply

gabarrygowin
Path Finder
‎08-24-2017 08:59 AM

Thanks much sslevert!

I finally got that all figured out and appreciate the leading help.

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎08-24-2017 10:29 AM

Cool. Please accept somesoni2's answer to mark it as resolved for posterity.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...