Been trying for the past day and a half now to get this search working to no avail. This search is one of several on a dashboard we're using to gather some host information for compliance checking. The input value of the form is just a single text field, where the user can put in either an IP or FQDN-style name to be used to lookup the value of the "host" field in Splunk. I've been trying to add the ability for Splunk to automatically lookup any IP's that are entered in DNS (using the usual external lookup), and then use that value as well in searching for the "host". Here's the search I'm using ($hosttag$ is obviously the name of the textfield input):
host=$hosttag$ OR host='[| eval clientip="$hosttag$" | lookup dnslookup clientip | rex field=clienthost "(?<shorthost>[^\.]+)\..*" | return shorthost]*' | stats count(sourcetype) by sourcetype
As you can see, I'm trying to get the FQDN, strip it back to the first stanza, and then return that back from the subsearch. This does not appear to be working at all though. There's never a value returned from the subsearch. I can confirm that running the external lookup with the data separately works fine, but this refuses to find anything.
Likewise, I've tried a different method, in case the "return" was possibly messing something up:
host=$hosttag$ OR [| eval clientip="$hosttag$" | lookup dnslookup clientip | rex field=clienthost "(?<shorthost>[^\.]+)\..*" | rename shorthost as host | fields + host] | stats count(sourcetype) by sourcetype
This version wouldn't have the "*" wildcard at the end of the returned host value from the subsearch, but based on our test data, it should still be finding values... it's not.
Could anyone point out what's going on here? Haven't had too many issues with dnslookups in the past, but this is getting INCREDIBLY frustrating.
Thanks in advance.
... View more