Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to resolve top 10 ip addresses

pjb2160
Path Finder
‎03-09-2018 01:59 AM

So, I'm running the following on some logs which have the dest_ip but no url. I want to report on the top domains by bandwidth:

index=proxy bytes=* 
| fields + user dest_ip bytes bytes_in bytes_out 
| stats sum(bytes) as total_bytes sum(bytes_in) as total_bytes_in sum(bytes_out) as total_bytes_out by dest_ip 
| eval "Total Bandwidth"=round(((total_bytes/1024)/1024),2), "Download"=round(((total_bytes_in/1024)/1024),2), "Upload"=round(((total_bytes_out/1024)/1024),2) 
| table dest_ip,"Total Bandwidth","Download","Upload"
| rename dest_ip as "Target IP Address"
| sort limit=10 -"Total Bandwidth"

I figure, it'd be most efficient to try and resolve the top 10 ip addresses only. Any pointers?

Cheers,
pjb2160

0 Karma
Reply

Teddles
Explorer
‎03-12-2018 09:29 PM

Hello pgj2160,

As mayurr98 has already said, try adding the following stanza to transforms.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

Then in your search, add a lookup:

| lookup dnsLookup ip AS dest_ip OUTPUT host AS "Target URL"

That should give you what you're after, but do let us know if it's no good!

Reply

mayurr98
Super Champion
‎03-09-2018 03:21 AM

have a look at this answer
https://answers.splunk.com/answers/86585/resolve-ip-to-host.html

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...