Hi peters1901,
this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:
ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3
Using this dash board you will be able to search in index=_internal
for an IP based on the select host name in the drop down:
<form>
<label>Host name to ip search</label>
<fieldset submitButton="true">
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host</label>
<search>
<query>index=_internal host=* | dedup host | table host</query>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
</form>
Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.
Hope this helps to get you started ...
cheers, MuS
Assuming that you've dnslookup configured, update your search like this
Use IP address for the hostname as filter in base search (assuming you've a field named ip_address in your data)
index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | table ip_address ]
Use Use IP address for the hostname as a field value
your base search | eval ip_address=[| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | eval query="\"".ip_address."\"" | table query ]
Hi peters1901,
this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:
ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3
Using this dash board you will be able to search in index=_internal
for an IP based on the select host name in the drop down:
<form>
<label>Host name to ip search</label>
<fieldset submitButton="true">
<input type="dropdown" token="host" searchWhenChanged="true">
<label>Host</label>
<search>
<query>index=_internal host=* | dedup host | table host</query>
</search>
<fieldForLabel>host</fieldForLabel>
<fieldForValue>host</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<chart>
<search>
<query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="count">10</option>
<option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
<option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
<option name="charting.axisTitleX.visibility">visible</option>
<option name="charting.axisTitleY.visibility">visible</option>
<option name="charting.axisTitleY2.visibility">visible</option>
<option name="charting.axisX.scale">linear</option>
<option name="charting.axisY.scale">linear</option>
<option name="charting.axisY2.enabled">0</option>
<option name="charting.axisY2.scale">inherit</option>
<option name="charting.chart">column</option>
<option name="charting.chart.bubbleMaximumSize">50</option>
<option name="charting.chart.bubbleMinimumSize">10</option>
<option name="charting.chart.bubbleSizeBy">area</option>
<option name="charting.chart.nullValueMode">gaps</option>
<option name="charting.chart.showDataLabels">none</option>
<option name="charting.chart.sliceCollapsingThreshold">0.01</option>
<option name="charting.chart.stackMode">default</option>
<option name="charting.chart.style">shiny</option>
<option name="charting.drilldown">all</option>
<option name="charting.layout.splitSeries">0</option>
<option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
<option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
<option name="charting.legend.placement">right</option>
</chart>
</panel>
</row>
</form>
Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.
Hope this helps to get you started ...
cheers, MuS
Is it a form textbox in a XML dashboard, HTML dashboard, or what? Give us more details.
it is an XML dashboard