I would like to modify my search term before I actually search for it. Background: I want to see how the MX for a certain domain connects to my MX. Say I want to know how (e.g. with TLS) the mail relay for acme.org connects - If I search for acme.org in my maillog, I find nothing, because the MX record for acme.org might be coolmailer.com. Currently do the lookup by hand before I search, but it would to cool to integrate this step into the splunk search. I tried using a scripted lookup, but I fail using a lookup before getting any results from search.
Something along the lines of
sourcetype=whatever give_mx_record_of("acme.org") |stats count by encryption_level
where give_mx_record_of("acme.org")
would return coolmailer.com
, which is what would be searched for, so while I enter acme.org
into my (saved)search (because that is what I know), splunk actually searches for
sourcetype=whatever coolmailer.com |stats count by encryption_level
This particular example would probably yield just one line, or no result. I have a python script that does the conversion of acme.org
to coolmailer.com
, currently in the form of a lookup script (scripted lookup), but if it helps I can transform it to any other format.
Can splunk do such a thing, and if yes, how?
Perhaps a subsearch would work for you.
index=wherever [ search index=mxstuff acme.org | other search stuff | fields mx_name ]
Terrible example, but you haven't given much to go on. The search within the brackets is the subsearch. It executes first, and the results of the subsearch become terms in the base search. You may want to read more in the manual About subsearches