Splunk Enterprise

How to change src and dest field in data models to use DNS name if available?

hettervik_new
Explorer

As of today data models, like the Network Traffic data model, have fields for src, src_ip, dest and dest_ip, but not src_dns and dest_dns. The way I understand it, DNS names should then be used in the src and dest fields, and IPs in the fields src_ip and dest_ip.

Some logs don't have DNS names available in the log itself. However, if you have Splunk ES with a populated asset framework, it will automatically add the field src_dns and dest_dns to the events if the fields src and dest are already available.

If I want the fields src_dns and dest_dns from the events to be added to the src and dest fields in the data model, I would normally solve this by adding a coalesce for src in props.conf for the source type, but since lookups are applied after evals in the search time parsing, this is not possible when src_dns and dest_dns comes from a lookup, as in the case with Splunk ES.

Therefore I propose the following change to the data models themselves, for all datamodels that are using the src and dest fields:

Change the eval for src from

if(isnull(src) OR src="","unknown",src)

to

case((isnull(src_dns) OR src_dns="") AND (isnull(src) OR src=""),"unknown",NOT (isnull(src_dns) OR src_dns=""),src_dns,true(),dest)

and likewise change the eval for dest from

if(isnull(dest) OR dest="","unknown",dest)

to

case((isnull(dest_dns) OR dest_dns="") AND (isnull(dest) OR dest=""),"unknown",NOT (isnull(dest_dns) OR dest_dns=""),dest_dns,true(),dest)
Labels (1)
Tags (2)
0 Karma
1 Solution

hettervik_new
Explorer

My proposed answer is stated in the post. Just wanted to share.

Also, if you think this solution should be a default part of Splunk, feel free to give my idea a thumb up: https://ideas.splunk.com/ideas/EID-I-1667

View solution in original post

0 Karma

hettervik_new
Explorer

My proposed answer is stated in the post. Just wanted to share.

Also, if you think this solution should be a default part of Splunk, feel free to give my idea a thumb up: https://ideas.splunk.com/ideas/EID-I-1667

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...