Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

new field using information from other sourcetype

are0002
Path Finder
‎01-05-2012 01:24 AM

Hello,

I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.

I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.

I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.

Tags (1)
0 Karma
Reply

mhensonagain
Engager
‎09-13-2024 07:56 AM

I have this use case and want to report on bytes by dest_hostname.

After adjusting for current Palo field names, the provided answer yields no results:

index=firewalls sourcetype=pan:traffic dest_zone=untrust dest_port=443 
    [search index=firewalls sourcetype=pan:threat 
    | fields dest_hostname] 
| stats sum(bytes) BY dest_hostname

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2024 12:04 PM

1. Well, that's some grave digging. This thread is 12 years old.

2. Is this your literal search? Are you aware what it does?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-13-2024 11:59 AM

Tagging a decade-old question is not a good way to get answers.  Please start a new question with the following guidelines in mind:

  • Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.
  • Illustrate the desired output from illustrated data.
  • Explain the logic between illustrated data and desired output without SPL.
  • If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
0 Karma
Reply

mhensonagain
Engager
‎09-13-2024 12:18 PM

Apologies for the lack of answers etiquette 😀.

join ended up working for me:

 

index=firewalls sourcetype=pan:traffic dest_zone=untrust dest_port=443
| join dest 
    [ search index=firewalls sourcetype=pan:threat dest_zone=untrust dest_port=443]                                                                                                     
| stats sum(bytes) as total_bytes by dest_hostname

 

 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-13-2024 12:25 PM

Join is very rarely the proper solution. It has limitations which can cause your results to be wrong or incomplete.

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎01-13-2012 12:36 PM

Hi,

Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.

If the dst_hostname information is available but not extracted in pan_traffic you can extract it with the rex command using a regular expression. This will create a new field you can use with that sourcetype.

Otherwise if the dst_hostname field doesn't exist in pan_trafic and you want to use it you can use an appended search to add that search. Something like this:

sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname

but it will only be able to pull the dst_hostnames where they match the dst_ip of the pan_traffic sourcetype.

0 Karma
Reply

are0002
Path Finder
‎01-09-2012 02:26 AM

Hi Kate,

I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.

pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.

Thank you

0 Karma
Reply

Kate_Lawrence-G
Contributor
‎01-05-2012 07:20 AM

Hi,

If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.

You should be able to do that with a subsearch; something like:

sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname

This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...