- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to execute conditional DNS lookup in a search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The problem I am trying to solve is the following: if src_hostfield is missing, null or empty, add it to events by performing DNS resolution as indicated on http://answers.splunk.com/answers/105246/dns-resolution-in-a-search.html. However, if it is already present, don't touch it.
The simples way to do this would be if DNS resolution was available as an eval command and I could do something like eval src_host=coalesce(src_host, lookup(src_ip)). However, I was unable to find a way to do lookups outside of a search command.
Any ideas on how to achieve a similar result?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out I found a way to do this using join. Assuming there's a macro called my_events which selects the CIM-compliant events, this is what is looks like:
`my_event` | join type=left src_ip [ search `my_event` NOT src_host="*" | fields src_ip | fields - _* | dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost AS src_host_resolved ] | eval src_host=coalesce(src_host, src_host_resolved)
One interesting advantage is that I am doing a single DNS lookup of each unique source IP address for which there are events with no src_host field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval src_host = split("8.8.8.8,dns.name,server_name, 172.217.9.206",",")
| mvexpand src_host
| foreach src_host [ eval tempip = if(match(src_host,"(\d{1,3}\.){3}\d{1,3}"), src_host, "") | lookup dnslookup clientip as tempip ]
| eval src_host=if(match(clienthost,"\w"),clienthost,src_host)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Turns out I found a way to do this using join. Assuming there's a macro called my_events which selects the CIM-compliant events, this is what is looks like:
`my_event` | join type=left src_ip [ search `my_event` NOT src_host="*" | fields src_ip | fields - _* | dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost AS src_host_resolved ] | eval src_host=coalesce(src_host, src_host_resolved)
One interesting advantage is that I am doing a single DNS lookup of each unique source IP address for which there are events with no src_host field.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
