Splunk Search

tstat with dnslookup does not return the fqdn for an IP value

wmoy
New Member

Hello,

I have the following tstats query that I do not understand why it is not returning the FQDN

Here's the query I started off with that works:

| tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log. src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| table host,src_zone,src_ip,dest_zone,dest_ip,dest_port

In the following query, I want to resolve both the 'src_ip' and 'dest_ip' to a FQDN but is not working with no error notification or any indication the matched event counter was incrementing.

|tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log.src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port

If I run a similar command, the 'dnslookup' works.

 index=* sourcetype=*  vendor_action!=allow 
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip  output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
0 Karma

wmoy
New Member

To answer my own question... after trying a number of different things ... turns out that the SPL syntax was fine.
What was happening was the number of results returned from the tstat for a 24hr window caused a huge resource consumption on search head.
I ended up running a dedup and reducing the time window to 10 mins to get the query returning the fqdn from dnslookup.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@wmoy If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma

woodcock
Esteemed Legend

I ran your exact search but I inserted a | head 10 after the | rename to speed it up and it worked fine; does yours work better if you limit the results this way?

0 Karma

wmoy
New Member

Good idea and that lead me to answering my own question that I've just posted.

Thanks.

0 Karma

woodcock
Esteemed Legend

Don't forget to UpVote and click Accept on your answer.

0 Karma

MuS
SplunkTrust
SplunkTrust

Just guessing here, did you check if the field log.src_ip is numeric in the datamodel?

cheers, MuS

0 Karma

wmoy
New Member

Yes, log.src_ip is numeric in the datamodel

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...