Splunk Search
Highlighted

How to do a lookup for timechart headers

Communicator

Hello!

I have made a timechart with a command: (...) *| timechart limit=10 sum(bytes) by src_ip* .

So I got top (really? why? - that is my first question) ten IP addresses - as column headers. Now I want to translate these into hostnames. And my second question: How to do that?


sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by srcip | fields - OTHER | lookup iplookup ip as srcip output host as srcip

  • this was my first idea, but it can't work as I don't have src_ip column now, only the 10.245.1.56, 10.245.1.57 etc. Next idea was to use rename command, but how can I rename every column, for example with eval? Wildcard is not working here.

The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.

0 Karma
Highlighted

Re: How to do a lookup for timechart headers

Communicator

Bump! Is it possible? 😞

0 Karma
Highlighted

Re: How to do a lookup for timechart headers

Legend

I imagine you could achieve this using the new foreach command that exists in Splunk 6.0 and onwards: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

0 Karma
Highlighted

Re: How to do a lookup for timechart headers

Path Finder

I have found a way to do this, sort of. I did an untable that was recommended to be able to search a timechart.
So in yours, you would most likely need something like the following:
sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by src_ip | untable _time, src_ip, sum | lookup ip_lookup ip as src_ip output host as src_ip | timechart sum(sum) by host

You may have to play with it but that is the basis of what I did. Untable will pull the header values into a column, manipulate that, and then put it back into a timechart.

0 Karma
Highlighted

Re: How to do a lookup for timechart headers

Path Finder

Only problem with the above is that OTHER from the first timechart will come back with NULL in the second since OTHER is probably not in your lookup. If you put the lookup translation in there as well, it should work.

0 Karma
Highlighted

Re: How to do a lookup for timechart headers

Legend

What if you did the lookup before the timechart command and change the timechart command to group by hostname. Something like this

sflow | eval bytes = formatbytestom(bytes) | lookup ip_lookup ip as src_ip output host as hostname | timechart limit=50 sum(bytes) by hostname 
0 Karma
Highlighted

Re: How to do a lookup for timechart headers

Path Finder

That was my first thought but I noticed this in the description of the problem:

The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.

So I did not give that as a response.

0 Karma