Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

new field using information from other sourcetype

are0002
Path Finder
‎01-05-2012 01:24 AM

Hello,

I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.

I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.

I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.

Tags (1)
0 Karma
Reply

mhensonagain
Engager
‎09-13-2024 07:56 AM

I have this use case and want to report on bytes by dest_hostname.

After adjusting for current Palo field names, the provided answer yields no results:

index=firewalls sourcetype=pan:traffic dest_zone=untrust dest_port=443 
    [search index=firewalls sourcetype=pan:threat 
    | fields dest_hostname] 
| stats sum(bytes) BY dest_hostname

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2024 12:04 PM

1. Well, that's some grave digging. This thread is 12 years old.

2. Is this your literal search? Are you aware what it does?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-13-2024 11:59 AM

Tagging a decade-old question is not a good way to get answers.  Please start a new question with the following guidelines in mind:

  • Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.
  • Illustrate the desired output from illustrated data.
  • Explain the logic between illustrated data and desired output without SPL.
  • If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
0 Karma
Reply

mhensonagain
Engager
‎09-13-2024 12:18 PM

Apologies for the lack of answers etiquette 😀.

join ended up working for me:

 

index=firewalls sourcetype=pan:traffic dest_zone=untrust dest_port=443
| join dest 
    [ search index=firewalls sourcetype=pan:threat dest_zone=untrust dest_port=443]                                                                                                     
| stats sum(bytes) as total_bytes by dest_hostname

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2024 12:25 PM

Join is very rarely the proper solution. It has limitations which can cause your results to be wrong or incomplete.

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎01-13-2012 12:36 PM

Hi,

Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.

If the dst_hostname information is available but not extracted in pan_traffic you can extract it with the rex command using a regular expression. This will create a new field you can use with that sourcetype.

Otherwise if the dst_hostname field doesn't exist in pan_trafic and you want to use it you can use an appended search to add that search. Something like this:

sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname

but it will only be able to pull the dst_hostnames where they match the dst_ip of the pan_traffic sourcetype.

0 Karma
Reply

are0002
Path Finder
‎01-09-2012 02:26 AM

Hi Kate,

I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.

pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.

Thank you

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎01-05-2012 07:20 AM

Hi,

If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.

You should be able to do that with a subsearch; something like:

sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname

This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...