Dashboards & Visualizations

DNS Resolution: How to convert a hostname entered in a textbox input form to an IP address to be used in a search?

Explorer

I am taking a hostname through a form textbox. I want to convert that hostname to an IP address and use that IP address in a search. How can I accomplish this?

Tags (5)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi peters1901,

this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:

ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3

Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down:

<form>
  <label>Host name to ip search</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>index=_internal host=* | dedup host | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.

Hope this helps to get you started ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Assuming that you've dnslookup configured, update your search like this

Use IP address for the hostname as filter in base search (assuming you've a field named ip_address in your data)

index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | table ip_address ]

Use Use IP address for the hostname as a field value

your base search | eval ip_address=[| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | eval query="\"".ip_address."\"" | table query ]
0 Karma

SplunkTrust
SplunkTrust

Hi peters1901,

this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:

ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3

Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down:

<form>
  <label>Host name to ip search</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>index=_internal host=* | dedup host | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.

Hope this helps to get you started ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Is it a form textbox in a XML dashboard, HTML dashboard, or what? Give us more details.

0 Karma

Explorer

it is an XML dashboard

0 Karma