Splunk Search

Simple Name for Variable

sy_price
Engager

Apologies in advance as im new to Splunk

Im trying to put a name to each line below. Each src to dst is a business client. So 1st line would be cisco. 2nd would be juniper, third would be Microsoft. 

Once i put this in a visualtion i want to show client name rather than src or whatever. 

OR (src=192.168.1.1 dest=172.16.1.1)
OR (src=192.168.1.2 dest=172.16.2.1)
OR (src=192.168.1.3 dest=172.16.3.1) 

made up syntax:
Name:Cisco = (src=192.168.1.1 dest=172.16.1.1)

I hope you understand what im getting at - Thanks

Simon

Labels (1)
Tags (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @sy_price,

to do this, you have to create a lookup and associate a name to each address.

Then in the search you can display it instead IP.

if the lookup is called my_lookup and it contain two fields: IP, Name, you could run something like this:

index=your_index
| lookup my_lookup IP AS src OUTPUT Name As src_Name
| lookup my_lookup IP AS dst OUTPUT Name AS dst_Name
| table _time src_Name dst_Name

Ciao.

Giuseppe

Ciao.

Giuseppe

View solution in original post

0 Karma

dcsteve24
Explorer

While lookup is probably the best way, I feel there are other ways to conduct this if IP ranges do not change.

I do a similar thing for my home network to pick up if my son gets on Roblox when he should be doing schoolwork and I don't use a lookup table for it.

Instead I do something like this for quick evaluations:

 

...your_input 
| lookup dnslookup your_IP_Field 
| eval clienthost=case(cidrmatch("10.0.0.0/8", roblox), cidrmatch("172.168.0.0/16", Microsoft))

 


Splunk comes with the dnslookup automatically to query known DNS resolutions. Its not perfect but things like Microsoft and Amazon would resolve. It returns a clienthost field which I further eval to match things I know based on research. I simply keep adding cases everytime I find something new.

If you need them combined with IP later as one field (i.e. Microsoft: dest 172.0.01 source 10.0.0.1), do it with eval or strcat.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sy_price,

to do this, you have to create a lookup and associate a name to each address.

Then in the search you can display it instead IP.

if the lookup is called my_lookup and it contain two fields: IP, Name, you could run something like this:

index=your_index
| lookup my_lookup IP AS src OUTPUT Name As src_Name
| lookup my_lookup IP AS dst OUTPUT Name AS dst_Name
| table _time src_Name dst_Name

Ciao.

Giuseppe

Ciao.

Giuseppe

0 Karma

sy_price
Engager

Thanks for the quick reply. 

I just had a read on the lookup. Unfortunately using a spreadsheet would not work for my end results due to access rights. 

I was hoping for a simple command i did not know. 

Nevermind - we will just have to do a manual lookup on the IP. 

Thanks again for the quick response!


0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sy_price,

I'm sorry that the solution based on a lookup cannot be used in your case, even if I don't understand what you mean by "a spreadsheet would not work for my end results due to access rights".

You can save the spreadsheet in csv and load it periodically in a lookup.

Ciao.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...