Splunk Search

Using a lookup to translate an IP to host name which can then be used in a search where only hostnames populate the field

gerald_contrera
Path Finder

Hi,

I am trying to create a dashboard where a user can use either a hostname or IP address to search through Windows Event Logs.

The Windows Event logs use the field "Computer" and is only hostnames.

I have a lookup table assets.csv which has the following columns

ip nt_host
10.48.113.24 P60992

My base search is

index=wineventlog EventCode=4688 Computer=$ComputerSearch$

Which is fine where the user enters a hostname, but what i need is a search where the user can enter an IP address in the dashboard text box ($ComputerSearch$) and the search then uses the lookup table to find the host name and then uses the hostname from the lookuptable for the value of the field "Computer"

I hope this makes sense?

I think whats needs to happen is a search using the token value needs to occur first to obtain a new variable (nt_host) which then needs to become the value of Computer in the base search.

I have tried using a few combinations via lookup and inputlookup without success.

Any help or direction would be greatly appreciated.

Thanks in advance

0 Karma

laurie_gellatly
Communicator

Take the user input, try to translate the IP to host and if that fails then keep the original.
| eval IpOrHost="10.1.1.1"
| lookup host2ip.csv ipaddr as IpOrHost OUTPUT host as Computer
| eval Computer=coalesce(Computer,IpOrHost)
Assuming the csv has 'host' and 'ipaddr' columns
If it could not be translated (a hostname or unknown IP) then 'Computer' becomes the input value.
If an IP is given that is known then 'Computer' becomes the associated host from the lookup.
Was this the piece you were missing?

...Laurie:{)

0 Karma

gerald_contrera
Path Finder

Hi Laurie,
Thanks for that.
I think this is the right track, but still not exactly what i need.

Basically, there is an IP address for the field "Computer". This field in the logs has hostnames not ip addresses. I need something that will lookup the ip in the lookup table and give the hostname to the value of "Computer" field so that the search will work. Not sure if that makes sense?
Basically, the lookup needs happen before the search where Computer=10.42.61.130, then put the the hostname into the value of "Computer".
In the dashboard i use the variable $ComputerSearch$

I think it would possibly something like this, but where Computer can be stored in a token to then | search Computer=$newtoken$
which will have the resolved hostname from the IP as the value?

index=wineventlog EventCode=4688

| eval IpOrHost="10.42.61.130"
| lookup mcafee_assets.csv ip as IpOrHost OUTPUT nt_host as Computer
| eval Computer=coalesce(Computer,IpOrHost)
| search Computer="what ever the value that Compuetr is after the lookup resolves from ip to nt_host"
| table _time Caller_User_Name Computer NewProcessName CommandLine

0 Karma

laurie_gellatly
Communicator

Hi Gerald,
Has your question been answered? I'm unsure if you need any additional assistance now.
Changing your code to:
index=wineventlog EventCode=4688
| lookup mcafee_assets.csv ip as $IpOrHost$ OUTPUT nt_host as Computer
| eval Computer=coalesce(Computer,$IpOrHost$)
| search Computer="what ever the value that Compuetr is after the lookup resolves from ip to nt_host"
| table _time Caller_User_Name Computer NewProcessName CommandLine
Should get you what you need. $IpOrHost$ is the token from the user input.

...Laurie:{)

0 Karma
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Access Tokens Page - New & Improved

Splunk Observability Cloud recently launched an improved design for the access tokens page for better ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...