Getting Data In

Manually set host alias

hobbymaster001
Engager

I am trying to create a search that is pulling geographic IP information about the users and showing which server was getting the requests at that location. I have this working completely and showing the host being queried from a location, but I want to rename the output hosts .Example, we have server1 which hosts website1.com, server2 that hosts website2.com and so on. I would like the geostats graphs to show the "website1.com" tag that I set instead of the host "server1" so it is easier to read for those with no network familiarity.

The code I have right now is as follows:

host="server1" AS  OR host="server2" OR host="server3" OR host="server4" OR host="server5" OR host="server6" OR host="server7" | rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | where NOT cidrmatch("##.##.#.#/##",src_ip) | iplocation src_ip | geostats count by host
Tags (3)
0 Karma
1 Solution

lguinn2
Legend

I suggest that you use a lookup table. This will give you good flexibility for maintaining the mapping - plus you can use it to simplify the search itself. First, create a CSV file:

host,web_site
server1,website1.com
server2,website2.com
etc

Then upload the csv and create a lookup, following these directions: Use Field Lookups

Let's assume that you name your lookup "host_lookup." Note that you don't need to make the lookup automatic. Once this is set up, the following report will do what you want:

[ | inputlookup host_lookup | fields host ]
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| where NOT cidrmatch("##.##.#.#/##",src_ip) 
| iplocation src_ip 
| lookup host_lookup host OUTPUT web_site
| geostats count by web_site

Note that I have used the lookup data twice in this: the first line retrieves a list of all the hosts in the lookup table and inserts that list into the search itself. (You can use the Search Job Inspector to verify how it works.) In the next-to-last line, the web_site that corresponds to the host is obtained.

If you do decide to make the lookup automatic, then you can omit the next-to-last line. Personally, I would not make the lookup automatic if you are only using the web_site field in this report.

When you need to update the list of hosts and web sites, all you need to do it to re-upload a new csv file with the same name as before.

View solution in original post

lguinn2
Legend

I suggest that you use a lookup table. This will give you good flexibility for maintaining the mapping - plus you can use it to simplify the search itself. First, create a CSV file:

host,web_site
server1,website1.com
server2,website2.com
etc

Then upload the csv and create a lookup, following these directions: Use Field Lookups

Let's assume that you name your lookup "host_lookup." Note that you don't need to make the lookup automatic. Once this is set up, the following report will do what you want:

[ | inputlookup host_lookup | fields host ]
| rex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| where NOT cidrmatch("##.##.#.#/##",src_ip) 
| iplocation src_ip 
| lookup host_lookup host OUTPUT web_site
| geostats count by web_site

Note that I have used the lookup data twice in this: the first line retrieves a list of all the hosts in the lookup table and inserts that list into the search itself. (You can use the Search Job Inspector to verify how it works.) In the next-to-last line, the web_site that corresponds to the host is obtained.

If you do decide to make the lookup automatic, then you can omit the next-to-last line. Personally, I would not make the lookup automatic if you are only using the web_site field in this report.

When you need to update the list of hosts and web sites, all you need to do it to re-upload a new csv file with the same name as before.

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...