I want to be able to see the host name in search results rather than IP. In this case, the "host" I am looking for is the name of the firewall, router, or switch sending the log message. The host names have been added to our DNS servers and nslookup returns the correct info. Any ideas on how to do this??
Thanks..
In my fw queries, I use two lookups in my queries, one to a lookup file that I created and manage called server_ip_lookup... and then a second one that does a dns lookup on source and destination
index="internetfirewalls" AND sourcetype="cisco:asa"
|lookup server_ip_lookup IPAddress as src_ip
output DeviceName as "Src_Device"
|lookup server_ip_lookup IPAddress as dest_ip
output DeviceName as "Dest_Device"
|stats count by dest_ip, Dest_Device, dest_port, src_ip, Src_Device, action, rule_id, transport
|sort -count
|lookup dnslookup clientip as src_ip OUTPUT clienthost as Src_Resolved
|lookup dnslookup clientip as dest_ip OUTPUT clienthost as Dest_Resolved
| eval Src_Device = if(Src_Device="-", Src_Resolved, Src_Device)
| eval Dest_Device = if(Dest_Device="-", Dest_Resolved, Dest_Device)
|table count, transport, src_ip, Src_Device, dest_ip, Dest_Device, dest_port, action, rule_id