Hello,
I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.
I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.
I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.
Hi,
Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.
If the dst_hostname
information is available but not extracted in pan_traffic
you can extract it with the rex
command using a regular expression. This will create a new field you can use with that sourcetype.
Otherwise if the dst_hostname
field doesn't exist in pan_trafic
and you want to use it you can use an appended search to add that search. Something like this:
sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname
but it will only be able to pull the dst_hostnames
where they match the dst_ip
of the pan_traffic
sourcetype.
Hi Kate,
I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.
pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.
Thank you
Hi,
If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.
You should be able to do that with a subsearch; something like:
sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname
This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.