All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Use a lookup of one field to populate a search

mpitts
Explorer
‎10-29-2013 05:43 PM

I'm trying to build a server healthcheck dashboard in which a user enters a hostname and is returned a series. One of the panels I would like to return is a search of our load balancer logs showing if the server has any failed monitors. My problem is that the load balancer logs record everything by IP. So I need to be able to take the hostname that the user enters, perform a DNS lookup on it, then use the resulting IP in a search of the load balancer logs.

I've gotten as far as being able to perform the DNS lookup of the hostname, but I can't figure out how to then take and perform the second search.

Thanks for any help.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎10-30-2013 10:04 AM

Other simpler option on the similar line woud be:-

sourcetype=ltm_log | lookup dnslookup clientip as host | rename clinethost as hostname| "your filter"

0 Karma
Reply

mpitts
Explorer
‎10-30-2013 07:13 AM

I figured this one out with a subsearch:

sourcetype=ltm_log [search host=foo | lookup dnslookup clienthost as host | rename clientip as ltm_pool_member | return ltm_pool_member]

What this does is execute the subsearch and return 'ltm_pool_member="x.x.x.x"' to the parent search.

Reply

ShaneNewman
Motivator
‎10-29-2013 06:13 PM

You need to get the data from the dns lookup into Splunk, either as a lookup file (csv) or by having the data indexed with a timestamp. If you create a lookup or csv file, make sure that file is inside a lookups folder inside a Splunk app. The it is as simple as:

some_search | lookup lookupfilename.csv hostname OUTPUT <field-list>
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...