Hello,
I have the following tstats query that I do not understand why it is not returning the FQDN
Here's the query I started off with that works:
| tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log. src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| table host,src_zone,src_ip,dest_zone,dest_ip,dest_port
In the following query, I want to resolve both the 'src_ip' and 'dest_ip' to a FQDN but is not working with no error notification or any indication the matched event counter was incrementing.
|tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log.src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
If I run a similar command, the 'dnslookup' works.
index=* sourcetype=* vendor_action!=allow
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
To answer my own question... after trying a number of different things ... turns out that the SPL syntax was fine.
What was happening was the number of results returned from the tstat for a 24hr window caused a huge resource consumption on search head.
I ended up running a dedup and reducing the time window to 10 mins to get the query returning the fqdn from dnslookup.
@wmoy If your problem is resolved, please accept the answer to help future readers.
I ran your exact search but I inserted a | head 10
after the | rename
to speed it up and it worked fine; does yours work better if you limit the results this way?
Good idea and that lead me to answering my own question that I've just posted.
Thanks.
Don't forget to UpVote
and click Accept
on your answer.
Just guessing here, did you check if the field log.src_ip
is numeric in the datamodel?
cheers, MuS
Yes, log.src_ip is numeric in the datamodel