Splunk Search

new field using information from other sourcetype

Path Finder

Hello,

I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.

I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.

I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.

Tags (1)
0 Karma

Contributor

Hi,

Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.

If the dst_hostname information is available but not extracted in pan_traffic you can extract it with the rex command using a regular expression. This will create a new field you can use with that sourcetype.

Otherwise if the dst_hostname field doesn't exist in pan_trafic and you want to use it you can use an appended search to add that search. Something like this:

sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname

but it will only be able to pull the dst_hostnames where they match the dst_ip of the pan_traffic sourcetype.

0 Karma

Path Finder

Hi Kate,

I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.

pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.

Thank you

0 Karma

Contributor

Hi,

If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.

You should be able to do that with a subsearch; something like:

sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname

This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!