Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to convert selected fields to FQDN

jfmph_
Explorer
4 weeks ago

All,

Anybody got idea on the below selected fields on how convert to FQDN? Seems lookups/dnslookup are not possible because of https on the selected fields.

Hope somebody can help 🙂 Thanks in advance

jfmph__0-1760425213823.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
4 weeks ago

@jfmph_ 

You need to remove those https and keep ip to perform lookup.

| eval ip=replace(YOUR_FIELD,"https://","")

This will remove https and keep ip, now use dnslookup to retrieve hostname.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

Reply
Solved! Jump to solution

jfmph_
Explorer
4 weeks ago

Hi Sir @PrewinThomas ,

Appreciate your help, yes, the syntax works.

But just a follow-up question, when using the lookups/dnslookup as per below screenshot didn't show the actual FQDN.

Just wondering is this something that our splunk unable to do DNS query? Or maybe my lookup syntax is wrong and looking again for your advice. Thanks

jfmph__1-1760430696841.png

 

 

 

0 Karma
Reply
Solved! Jump to solution

PrewinThomas
Motivator
4 weeks ago

@jfmph_ 

When you pass an IP to dnslookup, Splunk asks the OS resolver for the PTR record of that IP. If a PTR record exists in DNS, you’ll get back the hostname/FQDN.
If no PTR record exists, the field will be blank.

When you perform a reverse DNS lookup, you’ll receive whatever PTR record is defined in your DNS for that IP address. If the PTR record is present and correctly configured, the lookup will return the expected hostname.


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Solved! Jump to solution

akkoem
Explorer
4 weeks ago

I would first regex out then do DNS lookup to a separate field followed by coalesce in case DNS server doesn't know the host name. Here is the SPL with make results:

| makeresults 
| eval ip_list="https://10.32.52.4,https://10.4.247.4,https://10.76.72.4,https://10.76.73.4,https://10.81.224.10,https://10.81.224.2,http://10.1.1.2,http://10.2.3.4,http://10.4.5.6"
| makemv delim="," ip_list
| mvexpand ip_list
| rex field=ip_list "https?\:\/\/(?<ip>[\d\.]+)$"
| lookup dnslookup clientip AS ip OUTPUT clienthost AS hostname
| eval cmbd_name=coalesce(hostname,ip)
| fields cmbd_name hostname ip
Reply
Solved! Jump to solution

jfmph_
Explorer
4 weeks ago

@akkoem 

Thanks, the output below shows as per your suggestion and not sure if our Splunk unable to query DNS as it's not showing the correct FQDN.

jfmph__0-1760431314665.png

 

0 Karma
Reply
Solved! Jump to solution

akkoem
Explorer
4 weeks ago

according to screenshot, it queried DNS server and returned cloud native names. From the table fields, IP is queried against and hostname returned. cmdb_name is just a new field in case DNS lookup doesn't return anything. 

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
4 weeks ago

@jfmph_ 

You need to remove those https and keep ip to perform lookup.

| eval ip=replace(YOUR_FIELD,"https://","")

This will remove https and keep ip, now use dnslookup to retrieve hostname.

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...