All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use a lookup of one field to populate a search

mpitts
Explorer
‎10-29-2013 05:43 PM

I'm trying to build a server healthcheck dashboard in which a user enters a hostname and is returned a series. One of the panels I would like to return is a search of our load balancer logs showing if the server has any failed monitors. My problem is that the load balancer logs record everything by IP. So I need to be able to take the hostname that the user enters, perform a DNS lookup on it, then use the resulting IP in a search of the load balancer logs.

I've gotten as far as being able to perform the DNS lookup of the hostname, but I can't figure out how to then take and perform the second search.

Thanks for any help.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎10-30-2013 10:04 AM

Other simpler option on the similar line woud be:-

sourcetype=ltm_log | lookup dnslookup clientip as host | rename clinethost as hostname| "your filter"

0 Karma
Reply

mpitts
Explorer
‎10-30-2013 07:13 AM

I figured this one out with a subsearch:

sourcetype=ltm_log [search host=foo | lookup dnslookup clienthost as host | rename clientip as ltm_pool_member | return ltm_pool_member]

What this does is execute the subsearch and return 'ltm_pool_member="x.x.x.x"' to the parent search.

Reply

ShaneNewman
Motivator
‎10-29-2013 06:13 PM

You need to get the data from the dns lookup into Splunk, either as a lookup file (csv) or by having the data indexed with a timestamp. If you create a lookup or csv file, make sure that file is inside a lookups folder inside a Splunk app. The it is as simple as:

some_search | lookup lookupfilename.csv hostname OUTPUT <field-list>
0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...