Splunk Search

Simple Name for Variable

sy_price
Engager

Apologies in advance as im new to Splunk

Im trying to put a name to each line below. Each src to dst is a business client. So 1st line would be cisco. 2nd would be juniper, third would be Microsoft. 

Once i put this in a visualtion i want to show client name rather than src or whatever. 

OR (src=192.168.1.1 dest=172.16.1.1)
OR (src=192.168.1.2 dest=172.16.2.1)
OR (src=192.168.1.3 dest=172.16.3.1) 

made up syntax:
Name:Cisco = (src=192.168.1.1 dest=172.16.1.1)

I hope you understand what im getting at - Thanks

Simon

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
Esteemed Legend

Hi @sy_price,

to do this, you have to create a lookup and associate a name to each address.

Then in the search you can display it instead IP.

if the lookup is called my_lookup and it contain two fields: IP, Name, you could run something like this:

index=your_index
| lookup my_lookup IP AS src OUTPUT Name As src_Name
| lookup my_lookup IP AS dst OUTPUT Name AS dst_Name
| table _time src_Name dst_Name

Ciao.

Giuseppe

Ciao.

Giuseppe

View solution in original post

0 Karma

dcsteve24
Explorer

While lookup is probably the best way, I feel there are other ways to conduct this if IP ranges do not change.

I do a similar thing for my home network to pick up if my son gets on Roblox when he should be doing schoolwork and I don't use a lookup table for it.

Instead I do something like this for quick evaluations:

 

...your_input 
| lookup dnslookup your_IP_Field 
| eval clienthost=case(cidrmatch("10.0.0.0/8", roblox), cidrmatch("172.168.0.0/16", Microsoft))

 


Splunk comes with the dnslookup automatically to query known DNS resolutions. Its not perfect but things like Microsoft and Amazon would resolve. It returns a clienthost field which I further eval to match things I know based on research. I simply keep adding cases everytime I find something new.

If you need them combined with IP later as one field (i.e. Microsoft: dest 172.0.01 source 10.0.0.1), do it with eval or strcat.

0 Karma

gcusello
Esteemed Legend

Hi @sy_price,

to do this, you have to create a lookup and associate a name to each address.

Then in the search you can display it instead IP.

if the lookup is called my_lookup and it contain two fields: IP, Name, you could run something like this:

index=your_index
| lookup my_lookup IP AS src OUTPUT Name As src_Name
| lookup my_lookup IP AS dst OUTPUT Name AS dst_Name
| table _time src_Name dst_Name

Ciao.

Giuseppe

Ciao.

Giuseppe

0 Karma

sy_price
Engager

Thanks for the quick reply. 

I just had a read on the lookup. Unfortunately using a spreadsheet would not work for my end results due to access rights. 

I was hoping for a simple command i did not know. 

Nevermind - we will just have to do a manual lookup on the IP. 

Thanks again for the quick response!


0 Karma

gcusello
Esteemed Legend

Hi @sy_price,

I'm sorry that the solution based on a lookup cannot be used in your case, even if I don't understand what you mean by "a spreadsheet would not work for my end results due to access rights".

You can save the spreadsheet in csv and load it periodically in a lookup.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...