Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is the best way to rename timechart columns?

jankowsr
Path Finder
‎12-06-2016 06:16 AM

I have a simple timechart query

index = netflow flow_dir= 0 |timechart sum(bytes) by src_ip

I'm wondering how I would rename top source IPs to the result of actual DNS lookups. Theoretically, I could do DNS lookup before the timechart 

index = netflow flow_dir= 0
| lookup dnslookup clientip as src_ip OUTPUT clienthost as DST_RESOLVED
| timechart sum(bytes) by DST_RESOLVED

but in this way I would have to lookup every src IP (very slow) in the query not just top values. Is there any recommended approach for that problem?

Reply
1 Solution
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-06-2016 07:07 AM

Try this

*UPDATED*

index = netflow flow_dir= 0 | timechart sum(bytes) AS bytes by src_ip | untable _time src_ip bytes | lookup dnslookup clientip as src_ip OUTPUT clienthost as DST_RESOLVED | table _time DST_RESOLVED bytes | xyseries _time DST_RESOLVED bytes

View solution in original post

Reply
Solved! Jump to solution

halmai
New Member
‎03-06-2024 06:16 PM 
| timechart span=1m eval(sum(is_slow)/count) by v
| rename NULL as ratioOfSlow

did the job for me. 

0 Karma
Reply
Solved! Jump to solution
Solution

sundareshr
Legend
‎12-06-2016 07:07 AM

Try this

*UPDATED*

index = netflow flow_dir= 0 | timechart sum(bytes) AS bytes by src_ip | untable _time src_ip bytes | lookup dnslookup clientip as src_ip OUTPUT clienthost as DST_RESOLVED | table _time DST_RESOLVED bytes | xyseries _time DST_RESOLVED bytes
Reply
Solved! Jump to solution

jankowsr
Path Finder
‎12-07-2016 12:47 AM

First of all I guess you meant to write "sum(bytes) AS bytes" instead of "sum(bytes) a bytes". Anyway
index = netflow flow_dir= 0 | bin span=15m _time | stats sum(bytes) AS bytes by _time src_ip
may return hundreds of thousands results so to be honest I don't think performance is going to be better than doing DNS lookup before timechart unless you select top values. And in such case (selecting top values) you have to take care of calculating "OTHER" column which will probably make query quite complex.

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-08-2016 06:10 AM

Try the updated query

0 Karma
Reply
Solved! Jump to solution

jankowsr
Path Finder
‎12-09-2016 01:43 AM

I think your idea is magnificent! 🙂
I wasn't really aware of untab and xyseries functions.

I would just do something like
| lookup dnslookup clientip as src_ip OUTPUT clienthost as DST_RESOLVED
|eval DST_RESOLVED=if(isnull(DST_RESOLVED),src_ip,DST_RESOLVED)
in order not to loose "OTHER" value.

Thank you very much

0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎12-06-2016 07:03 AM

maybe something like:

 index = netflow flow_dir= 0
 | timechart sum(bytes) as bytes by src_ip
 | sort - bytes
 | join src_ip [|inputlookup dnslookup |rename clientip as src_ip clienthost as DST_RESOLVED|table src_ip DST_RESOLVED]
 | streamstats count
 | eval src_ip=if(count<11,DST_RESOLVED,src_ip)
 | fields - count - DST_RESOLVED
0 Karma
Reply
Solved! Jump to solution

jankowsr
Path Finder
‎12-07-2016 12:51 AM

It does not seem to be working for me and I guess the reason for it is that |inputlookup dnslookup is going to work only for static lookup tables. Also I'm not sure if that query would handle correctly "OTHER" column produced by timechart.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...