Splunk Search
Highlighted

How to a DNS lookup on the top 20 IP results returned from a search?

Engager

Hi All,

I have a search that gives me the top 20 IP's visiting my website. I also, have a working dnslookup version of the search which is way slower. I'm trying to figure out how to do the dns lookup only on the top 20 results that are returned:

No DNS lookup, pretty quick

sourcetype=access_combined | top clientip limit=20

DNS lookup orders of magnitude slower

sourcetype=access_combined | lookup dnslookup clientip | top clientip,clienthost limit=20

I've also tried this, but it isn't quite what I want either:

[ search sourcetype=access_combined  | top clientip limit=20 | table clientip] | lookup dnslookup clientip | top clientip,clienthost

I want something like this:

sourcetype=access_combined | top clientip,clienthost limit=20 | lookup dnslookup clientip 

I've set up dnsmasq on 127.0.0.1 on the search head and was curious where exactly the external_lookup.py script looks for dns resolution.

Thanks in advance
Brian

0 Karma
Highlighted

Re: How to a DNS lookup on the top 20 IP results returned from a search?

SplunkTrust
SplunkTrust

How about this

 sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip 

View solution in original post

Highlighted

Re: How to a DNS lookup on the top 20 IP results returned from a search?

Engager

Ahh, that plus adding ...

sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip | table clientip, clienthost, count, percent

Gives me exactly what I want

Thanks!