- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to get DNS resolution for public source IP ?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to get DNS resolution for public source IP ?
Hi All,
I have written a search which shows which all countries are trying to access our servers from outside. It works fine and gives me loads of information. I was trying to tweak this search so that it will also give me the DNS resolution for the source IP from where the traffic is originating. The original search is as follows
index=netscreen sourcetype=netscreen:firewall | iplocation src dst | search Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia OR dest_translated_ip | stats count by Country src src_port dst dest_translated_ip dst_port policy_id | rex field=_raw "dst-xlated\sip=(?[^\s]+)" | sort count 50 | dedup src | rename Country as Orgin_Country, src as SOURCE_IP, src_port as Source_Port, dst as DESTINATION_IP, dst_port as Destination_Port, dest_translated_ip as REAL_IP,policy_id as POLICY_ID
The modification I made is follows :
index=netscreen sourcetype=netscreen:firewall sourcetype!=optiv_threat_list | lookup dnslookup clientip AS src OUTPUT clienthost as Hostname| iplocation src dst | search Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia OR dest_translated_ip | stats count by Country src src_port dst dest_translated_ip dst_port policy_id | rex field=_raw "dst-xlated\sip=(?[^\s]+)" | sort count 50 | dedup src | rename Country as Orgin_Country, src as SOURCE_IP, src_port as Source_Port, dst as DESTINATION_IP, dst_port as Destination_Port, dest_translated_ip as REAL_IP,policy_id as POLICY_ID
The first search works perfectly but the second one does not yield any result. What am I doing incorrectly ?
Regards
Pradeep
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Pradeep,
I think the rex syntax in your search may be incorrect. A field name should be provided so that the regex-captured group value can be assigned to it.
For example, the following search assigns anything after From: to the new from field and anything after To: to the new to field.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
Therefore, you might need to supply a field name - sip, for exaple - in your search as well:
...| rex field=_raw "dst-xlated\sip=(?<sip>[^\s]+)" ...
Hope this helps. Thanks!
Hunter
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hunter,
I modified the regex as you suggested but still I am not able to resolve the DNS for the source IP
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most likely you search index=netscreen sourcetype=netscreen:firewall sourcetype!=optiv_threat_list does not contain the field dst, or alternatively you have no hits with Country=China OR Country=Syria OR Country=Iran OR Country=Israel OR Country=Yemen OR Country=Romania OR Country=Russia
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
