Splunk Search

new field using information from other sourcetype

are0002
Path Finder

Hello,

I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.

I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.

I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.

Tags (1)
0 Karma

Kate_Lawrence-G
Contributor

Hi,

Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.

If the dst_hostname information is available but not extracted in pan_traffic you can extract it with the rex command using a regular expression. This will create a new field you can use with that sourcetype.

Otherwise if the dst_hostname field doesn't exist in pan_trafic and you want to use it you can use an appended search to add that search. Something like this:

sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname

but it will only be able to pull the dst_hostnames where they match the dst_ip of the pan_traffic sourcetype.

0 Karma

are0002
Path Finder

Hi Kate,

I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.

pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.

Thank you

0 Karma

Kate_Lawrence-G
Contributor

Hi,

If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.

You should be able to do that with a subsearch; something like:

sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname

This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...