Dashboards & Visualizations

DNS Resolution: How to convert a hostname entered in a textbox input form to an IP address to be used in a search?

peters1901
Explorer

I am taking a hostname through a form textbox. I want to convert that hostname to an IP address and use that IP address in a search. How can I accomplish this?

Tags (5)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi peters1901,

this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:

ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3

Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down:

<form>
  <label>Host name to ip search</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>index=_internal host=* | dedup host | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.

Hope this helps to get you started ...

cheers, MuS

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Assuming that you've dnslookup configured, update your search like this

Use IP address for the hostname as filter in base search (assuming you've a field named ip_address in your data)

index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | table ip_address ]

Use Use IP address for the hostname as a field value

your base search | eval ip_address=[| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | eval query="\"".ip_address."\"" | table query ]
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi peters1901,

this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:

ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3

Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down:

<form>
  <label>Host name to ip search</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>index=_internal host=* | dedup host | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.

Hope this helps to get you started ...

cheers, MuS

jkat54
SplunkTrust
SplunkTrust

Is it a form textbox in a XML dashboard, HTML dashboard, or what? Give us more details.

0 Karma

peters1901
Explorer

it is an XML dashboard

0 Karma
Get Updates on the Splunk Community!

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...