I am trying to create a search that is pulling geographic IP information about the users and showing which server was getting the requests at that location. I have this working completely and showing the host being queried from a location, but I want to rename the output hosts .Example, we have server1 which hosts website1.com, server2 that hosts website2.com and so on. I would like the geostats graphs to show the "website1.com" tag that I set instead of the host "server1" so it is easier to read for those with no network familiarity.
The code I have right now is as follows:
host="server1" AS OR host="server2" OR host="server3" OR host="server4" OR host="server5" OR host="server6" OR host="server7" | rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | where NOT cidrmatch("##.##.#.#/##",src_ip) | iplocation src_ip | geostats count by host
I suggest that you use a lookup table. This will give you good flexibility for maintaining the mapping - plus you can use it to simplify the search itself. First, create a CSV file:
host,web_site
server1,website1.com
server2,website2.com
etc
Then upload the csv and create a lookup, following these directions: Use Field Lookups
Let's assume that you name your lookup "host_lookup." Note that you don't need to make the lookup automatic. Once this is set up, the following report will do what you want:
[ | inputlookup host_lookup | fields host ]
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| where NOT cidrmatch("##.##.#.#/##",src_ip)
| iplocation src_ip
| lookup host_lookup host OUTPUT web_site
| geostats count by web_site
Note that I have used the lookup data twice in this: the first line retrieves a list of all the hosts in the lookup table and inserts that list into the search itself. (You can use the Search Job Inspector to verify how it works.) In the next-to-last line, the web_site
that corresponds to the host is obtained.
If you do decide to make the lookup automatic, then you can omit the next-to-last line. Personally, I would not make the lookup automatic if you are only using the web_site
field in this report.
When you need to update the list of hosts and web sites, all you need to do it to re-upload a new csv file with the same name as before.
I suggest that you use a lookup table. This will give you good flexibility for maintaining the mapping - plus you can use it to simplify the search itself. First, create a CSV file:
host,web_site
server1,website1.com
server2,website2.com
etc
Then upload the csv and create a lookup, following these directions: Use Field Lookups
Let's assume that you name your lookup "host_lookup." Note that you don't need to make the lookup automatic. Once this is set up, the following report will do what you want:
[ | inputlookup host_lookup | fields host ]
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| where NOT cidrmatch("##.##.#.#/##",src_ip)
| iplocation src_ip
| lookup host_lookup host OUTPUT web_site
| geostats count by web_site
Note that I have used the lookup data twice in this: the first line retrieves a list of all the hosts in the lookup table and inserts that list into the search itself. (You can use the Search Job Inspector to verify how it works.) In the next-to-last line, the web_site
that corresponds to the host is obtained.
If you do decide to make the lookup automatic, then you can omit the next-to-last line. Personally, I would not make the lookup automatic if you are only using the web_site
field in this report.
When you need to update the list of hosts and web sites, all you need to do it to re-upload a new csv file with the same name as before.