Getting Data In

Manually set host alias

hobbymaster001
Engager

I am trying to create a search that is pulling geographic IP information about the users and showing which server was getting the requests at that location. I have this working completely and showing the host being queried from a location, but I want to rename the output hosts .Example, we have server1 which hosts website1.com, server2 that hosts website2.com and so on. I would like the geostats graphs to show the "website1.com" tag that I set instead of the host "server1" so it is easier to read for those with no network familiarity.

The code I have right now is as follows:

host="server1" AS  OR host="server2" OR host="server3" OR host="server4" OR host="server5" OR host="server6" OR host="server7" | rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | where NOT cidrmatch("##.##.#.#/##",src_ip) | iplocation src_ip | geostats count by host
Tags (3)
0 Karma
1 Solution

lguinn2
Legend

I suggest that you use a lookup table. This will give you good flexibility for maintaining the mapping - plus you can use it to simplify the search itself. First, create a CSV file:

host,web_site
server1,website1.com
server2,website2.com
etc

Then upload the csv and create a lookup, following these directions: Use Field Lookups

Let's assume that you name your lookup "host_lookup." Note that you don't need to make the lookup automatic. Once this is set up, the following report will do what you want:

[ | inputlookup host_lookup | fields host ]
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| where NOT cidrmatch("##.##.#.#/##",src_ip) 
| iplocation src_ip 
| lookup host_lookup host OUTPUT web_site
| geostats count by web_site

Note that I have used the lookup data twice in this: the first line retrieves a list of all the hosts in the lookup table and inserts that list into the search itself. (You can use the Search Job Inspector to verify how it works.) In the next-to-last line, the web_site that corresponds to the host is obtained.

If you do decide to make the lookup automatic, then you can omit the next-to-last line. Personally, I would not make the lookup automatic if you are only using the web_site field in this report.

When you need to update the list of hosts and web sites, all you need to do it to re-upload a new csv file with the same name as before.

View solution in original post

lguinn2
Legend

I suggest that you use a lookup table. This will give you good flexibility for maintaining the mapping - plus you can use it to simplify the search itself. First, create a CSV file:

host,web_site
server1,website1.com
server2,website2.com
etc

Then upload the csv and create a lookup, following these directions: Use Field Lookups

Let's assume that you name your lookup "host_lookup." Note that you don't need to make the lookup automatic. Once this is set up, the following report will do what you want:

[ | inputlookup host_lookup | fields host ]
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| where NOT cidrmatch("##.##.#.#/##",src_ip) 
| iplocation src_ip 
| lookup host_lookup host OUTPUT web_site
| geostats count by web_site

Note that I have used the lookup data twice in this: the first line retrieves a list of all the hosts in the lookup table and inserts that list into the search itself. (You can use the Search Job Inspector to verify how it works.) In the next-to-last line, the web_site that corresponds to the host is obtained.

If you do decide to make the lookup automatic, then you can omit the next-to-last line. Personally, I would not make the lookup automatic if you are only using the web_site field in this report.

When you need to update the list of hosts and web sites, all you need to do it to re-upload a new csv file with the same name as before.

Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...