Splunk Search

Trying to Find All Names that Match a Name in a Field

atebysandwich
Path Finder

I have a field called DNS whos field values contain the hostname in the lookup. There is also another field called Identified_Host that has similar values. I will show the difference below:

DNSIdentified_Host
host1.domain.comhost1.domain.com
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com
host2.domain.comhost2.domain.com
host2-admin.comhost2.domain.com
host2-mgt.admin.comhost2.domain.com
host3.domain.comhost3.domain.com
host3-admin.comhost3.domain.com

 

From this example. it's shown that Indetified_Host is the main name of the host. I need to find out which hosts in Identified_Hosts have values in DNS with the same name but also end with -admin and/or -mgt. 

Labels (5)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

I get a rough idea about what the OP wants:

  1. The lowest level domain in DNS must be that in Identified_Host + "-admin" or "-mgt", and
  2. All upper level domains in DNS and those in Identified_Host are identical.

If this is correct, here is a literal interpretation.

 

| foreach DNS Identified_Host
    [rex field=<<FIELD>> "(?<<<FIELD>>_low>[^\.]+).(?<<<FIELD>>_up>.+)"]
| where match(DNS_low, "^". Identified_Host_low. "-(admin|mgt)$") AND DNS_up == Identified_Host_up
| fields - *_low *_up

 

Pro tip: You can do volunteers here a great favor if you not just describe the data, but also demonstrate what is desired result, then explain the logic between data and desired result.

Using the data emulation @yeahnah gives, the result from this search is

DNSIdentified_Host
host1-admin.domain.comhost1.domain.com
host1-mgt.domain.comhost1.domain.com

Are these what you expect?

yeahnah
Motivator

Hi @atebysandwich 

I'm not 100% sure I understand what you are trying to do but does this run anywhere example help...

| makeresults
| eval _raw="DNS,Identified_Host
host1.domain.com,host1.domain.com
host1-admin.domain.com,host1.domain.com
host1-mgt.domain.com,host1.domain.com
host2.domain.com,host2.domain.com
host2-admin.com,host2.domain.com
host2-mgt.admin.com,host2.domain.com
host3.domain.com,host3.domain.com
host3-admin.com,host3.domain.com"
| multikv forceheader=1
| table DNS Identified_Host
 ```^^^ dummy events ^^^```
| where DNS!=Identified_Host
| stats values(DNS) BY Identified_Host

 

Tags (1)
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...