Solved: DNSLOOKUP for a Destination Host, only the Source ...

rfiscus · ‎10-21-2015

I am apparently doing something wrong with the Destination Host dnslookup, it shows the Source Host instead. Any ideas on why I can't translate the destination IP into a host? It should be pulling the IP from the log file name which is correct, the destination IP works. The Destination Host is the only thing incorrect.

index = syslog sourcetype = cisco:ios configured
| rex field=source "^/\w+/\w+/\w+/(?<SourceIP>\w+\.\w+\.\w+\.\w+).log"
| eval "Destination IP" = SourceIP
| eval "Source IP" = src_ip
| lookup dnslookup clientip AS "Source IP"
| eval "Source Host" = upper(clienthost)
| lookup dnslookup clientip AS "Destination Host"
| eval "Destination Host" = upper(clienthost)
| eval Date = strftime(_time,"%m-%d-%Y %I:%M")
| eval Username = upper(user)
| eval Message = upper(message_text)
| eventstats count AS "Event Count" BY Date "Source IP" "Destination IP" Username Message
| dedup Date "Destination IP" Username Message
| table Date "Source IP" "Source Host" "Destination IP" "Destination Host" Username Message "Event Count"
| sort Date "Destination IP" Desc

rfiscus · ‎10-21-2015

This fixed it, thanks Bert!

| rename clienthost AS "Source Host" 
| lookup dnslookup clientip AS SourceIP
| eval "Destination Host" = upper(clienthost)

View solution in original post

rfiscus · ‎10-21-2015

This fixed it, thanks Bert!

| rename clienthost AS "Source Host" 
| lookup dnslookup clientip AS SourceIP
| eval "Destination Host" = upper(clienthost)

DNSLOOKUP for a Destination Host, only the Source Host is working.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!