Hi,
I am trying to create a dashboard where a user can use either a hostname or IP address to search through Windows Event Logs.
The Windows Event logs use the field "Computer" and is only hostnames.
I have a lookup table assets.csv which has the following columns
ip nt_host
10.48.113.24 P60992
My base search is
index=wineventlog EventCode=4688 Computer=$ComputerSearch$
Which is fine where the user enters a hostname, but what i need is a search where the user can enter an IP address in the dashboard text box ($ComputerSearch$) and the search then uses the lookup table to find the host name and then uses the hostname from the lookuptable for the value of the field "Computer"
I hope this makes sense?
I think whats needs to happen is a search using the token value needs to occur first to obtain a new variable (nt_host) which then needs to become the value of Computer in the base search.
I have tried using a few combinations via lookup and inputlookup without success.
Any help or direction would be greatly appreciated.
Thanks in advance
Take the user input, try to translate the IP to host and if that fails then keep the original.
| eval IpOrHost="10.1.1.1"
| lookup host2ip.csv ipaddr as IpOrHost OUTPUT host as Computer
| eval Computer=coalesce(Computer,IpOrHost)
Assuming the csv has 'host' and 'ipaddr' columns
If it could not be translated (a hostname or unknown IP) then 'Computer' becomes the input value.
If an IP is given that is known then 'Computer' becomes the associated host from the lookup.
Was this the piece you were missing?
...Laurie:{)
Hi Laurie,
Thanks for that.
I think this is the right track, but still not exactly what i need.
Basically, there is an IP address for the field "Computer". This field in the logs has hostnames not ip addresses. I need something that will lookup the ip in the lookup table and give the hostname to the value of "Computer" field so that the search will work. Not sure if that makes sense?
Basically, the lookup needs happen before the search where Computer=10.42.61.130, then put the the hostname into the value of "Computer".
In the dashboard i use the variable $ComputerSearch$
I think it would possibly something like this, but where Computer can be stored in a token to then | search Computer=$newtoken$
which will have the resolved hostname from the IP as the value?
index=wineventlog EventCode=4688
| eval IpOrHost="10.42.61.130"
| lookup mcafee_assets.csv ip as IpOrHost OUTPUT nt_host as Computer
| eval Computer=coalesce(Computer,IpOrHost)
| search Computer="what ever the value that Compuetr is after the lookup resolves from ip to nt_host"
| table _time Caller_User_Name Computer NewProcessName CommandLine
Hi Gerald,
Has your question been answered? I'm unsure if you need any additional assistance now.
Changing your code to:
index=wineventlog EventCode=4688
| lookup mcafee_assets.csv ip as $IpOrHost$ OUTPUT nt_host as Computer
| eval Computer=coalesce(Computer,$IpOrHost$)
| search Computer="what ever the value that Compuetr is after the lookup resolves from ip to nt_host"
| table _time Caller_User_Name Computer NewProcessName CommandLine
Should get you what you need. $IpOrHost$ is the token from the user input.
...Laurie:{)