- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: tstat with dnslookup does not return the fqdn ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tstat with dnslookup does not return the fqdn for an IP value
Hello,
I have the following tstats query that I do not understand why it is not returning the FQDN
Here's the query I started off with that works:
| tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log. src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| table host,src_zone,src_ip,dest_zone,dest_ip,dest_port
In the following query, I want to resolve both the 'src_ip' and 'dest_ip' to a FQDN but is not working with no error notification or any indication the matched event counter was incrementing.
|tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log.src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
If I run a similar command, the 'dnslookup' works.
index=* sourcetype=* vendor_action!=allow
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To answer my own question... after trying a number of different things ... turns out that the SPL syntax was fine.
What was happening was the number of results returned from the tstat for a 24hr window caused a huge resource consumption on search head.
I ended up running a dedup and reducing the time window to 10 mins to get the query returning the fqdn from dnslookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@wmoy If your problem is resolved, please accept the answer to help future readers.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran your exact search but I inserted a | head 10 after the | rename to speed it up and it worked fine; does yours work better if you limit the results this way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good idea and that lead me to answering my own question that I've just posted.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't forget to UpVote and click Accept on your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just guessing here, did you check if the field log.src_ip is numeric in the datamodel?
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, log.src_ip is numeric in the datamodel
Archived Metrics Now Available for APAC and EMEA realms
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!
