Splunk Search

new field using information from other sourcetype

Path Finder

Hello,

I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.

I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.

I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.

Tags (1)
0 Karma

Contributor

Hi,

Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.

If the dst_hostname information is available but not extracted in pan_traffic you can extract it with the rex command using a regular expression. This will create a new field you can use with that sourcetype.

Otherwise if the dst_hostname field doesn't exist in pan_trafic and you want to use it you can use an appended search to add that search. Something like this:

sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname

but it will only be able to pull the dst_hostnames where they match the dst_ip of the pan_traffic sourcetype.

0 Karma

Path Finder

Hi Kate,

I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.

pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.

Thank you

0 Karma

Contributor

Hi,

If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.

You should be able to do that with a subsearch; something like:

sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname

This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.

0 Karma