Re: How to resolve top 10 ip addresses

pjb2160 · ‎03-09-2018

So, I'm running the following on some logs which have the dest_ip but no url. I want to report on the top domains by bandwidth:

index=proxy bytes=* 
| fields + user dest_ip bytes bytes_in bytes_out 
| stats sum(bytes) as total_bytes sum(bytes_in) as total_bytes_in sum(bytes_out) as total_bytes_out by dest_ip 
| eval "Total Bandwidth"=round(((total_bytes/1024)/1024),2), "Download"=round(((total_bytes_in/1024)/1024),2), "Upload"=round(((total_bytes_out/1024)/1024),2) 
| table dest_ip,"Total Bandwidth","Download","Upload"
| rename dest_ip as "Target IP Address"
| sort limit=10 -"Total Bandwidth"

I figure, it'd be most efficient to try and resolve the top 10 ip addresses only. Any pointers?

Cheers,
pjb2160

Teddles · ‎03-12-2018

Hello pgj2160,

As mayurr98 has already said, try adding the following stanza to transforms.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

Then in your search, add a lookup:

| lookup dnsLookup ip AS dest_ip OUTPUT host AS "Target URL"

That should give you what you're after, but do let us know if it's no good!

mayurr98 · ‎03-09-2018

have a look at this answer
https://answers.splunk.com/answers/86585/resolve-ip-to-host.html

How to resolve top 10 ip addresses

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation