I'm looking to enrich a search of firewall IP data with DNS host data from proxy logs. To be clear, I don't want to do a DNS reverse lookup, I want to use information that is already in my proxy logs.
So basically, I'm looking to enrich the output of Search 1 (firewalls_traffic) by adding a field with a value based on the results of Search 2 (proxy_logs.)
Search 1:
sourcetype=firewall_traffic (some criteria * ) | stats sum(bytes_sent), count(repeat_count) by src_ip,application,dst_ip | ?? Add new field with values from Search 2 ?? | sort 10 -bytes_sent
Search 2:
sourcetype=proxy_logs ?? dst_ip value from Search 1 ?? | fields dns_name | head 1
Thanks,
Al
... View more