Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Simple Name for Variable

sy_price
Engager
‎08-28-2020 05:21 AM

Apologies in advance as im new to Splunk

Im trying to put a name to each line below. Each src to dst is a business client. So 1st line would be cisco. 2nd would be juniper, third would be Microsoft. 

Once i put this in a visualtion i want to show client name rather than src or whatever. 

OR (src=192.168.1.1 dest=172.16.1.1)
OR (src=192.168.1.2 dest=172.16.2.1)
OR (src=192.168.1.3 dest=172.16.3.1) 

made up syntax:
Name:Cisco = (src=192.168.1.1 dest=172.16.1.1)

I hope you understand what im getting at - Thanks

Simon

Labels (1)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2020 05:38 AM

Hi @sy_price,

to do this, you have to create a lookup and associate a name to each address.

Then in the search you can display it instead IP.

if the lookup is called my_lookup and it contain two fields: IP, Name, you could run something like this:

index=your_index
| lookup my_lookup IP AS src OUTPUT Name As src_Name
| lookup my_lookup IP AS dst OUTPUT Name AS dst_Name
| table _time src_Name dst_Name

Ciao.

Giuseppe

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dcsteve24
Explorer
‎09-08-2020 02:36 PM

While lookup is probably the best way, I feel there are other ways to conduct this if IP ranges do not change.

I do a similar thing for my home network to pick up if my son gets on Roblox when he should be doing schoolwork and I don't use a lookup table for it.

Instead I do something like this for quick evaluations:

 

...your_input 
| lookup dnslookup your_IP_Field 
| eval clienthost=case(cidrmatch("10.0.0.0/8", roblox), cidrmatch("172.168.0.0/16", Microsoft))

 


Splunk comes with the dnslookup automatically to query known DNS resolutions. Its not perfect but things like Microsoft and Amazon would resolve. It returns a clienthost field which I further eval to match things I know based on research. I simply keep adding cases everytime I find something new.

If you need them combined with IP later as one field (i.e. Microsoft: dest 172.0.01 source 10.0.0.1), do it with eval or strcat.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2020 05:38 AM

Hi @sy_price,

to do this, you have to create a lookup and associate a name to each address.

Then in the search you can display it instead IP.

if the lookup is called my_lookup and it contain two fields: IP, Name, you could run something like this:

index=your_index
| lookup my_lookup IP AS src OUTPUT Name As src_Name
| lookup my_lookup IP AS dst OUTPUT Name AS dst_Name
| table _time src_Name dst_Name

Ciao.

Giuseppe

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

sy_price
Engager
‎08-28-2020 06:04 AM

Thanks for the quick reply. 

I just had a read on the lookup. Unfortunately using a spreadsheet would not work for my end results due to access rights. 

I was hoping for a simple command i did not know. 

Nevermind - we will just have to do a manual lookup on the IP. 

Thanks again for the quick response!


0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-28-2020 06:15 AM

Hi @sy_price,

I'm sorry that the solution based on a lookup cannot be used in your case, even if I don't understand what you mean by "a spreadsheet would not work for my end results due to access rights".

You can save the spreadsheet in csv and load it periodically in a lookup.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...