Splunk Search

Subsearch to return hostname vs IP

Blu3fish
Path Finder

I'm attempting to run a given search to return bandwidth hogs by MBs downloaded. I have a search that will successfully return the values I'm after though what I'd like to do is go one step further and translate the src IP into the src Hostname for a given user (which I can do currently from the dhcp templates app).

Search for bandwidth hogs:
index=network sourcetype=firewall status=accept dst_int=port9 OR dst_int=port10 | eval mb=rcvd/1024/1024 | stats sum(mb) as "MBs Downloaded" by src app | sort -"MBs Downloaded"

Search for ip to hostname (src_ip taken from the initial search's "src" field):
eventtype=dhcpd_event src_ip=xxx.xxx.xxx.xxx | fields src_host

I'm pretty certain what I'm after can be accomplished via a subsearch but this is where I'm on shaky legs. Any help would be appreciated.

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

Hmm, one way to do it would be by using join, but that can be expensive.

 index=network sourcetype=firewall status=accept dst_int=port9 OR dst_int=port10 | rename src AS src_ip | join src_ip [search index=<your_index> eventtype=dhcpd_event | fields src_ip, src_host] eval mb=rcvd/1024/1024 | stats sum(mb) AS "MB Downloaded" by src_ip app | sort - "MB Downloaded"  

I haven't tried this out on any sample data - I just inserted the subsearch and a rename into your existing query. It will perhaps not work out of the box, and there are probably more efficient ways of doing this. Give it a try, though and let us know.

Hope this helps,

Kristian

kristian_kolb
Ultra Champion

Good to hear that it worked. Sorry about the mixing the ip/host thingy, but it was 1AM when I wrote that... 🙂

Please mark the answer as accepted, Thank you.

/Kristian

0 Karma

Blu3fish
Path Finder

That worked very well. I made a slight change to your search as I wanted to return the src_host value rather than src_ip. But simply swapping those fields and voila!

Thank you very much, Kristian. This had stumped me for some time.

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!