I would like to modify my search term before I actually search for it. Background: I want to see how the MX for a certain domain connects to my MX. Say I want to know how (e.g. with TLS) the mail relay for acme.org connects - If I search for acme.org in my maillog, I find nothing, because the MX record for acme.org might be coolmailer.com. Currently do the lookup by hand before I search, but it would to cool to integrate this step into the splunk search. I tried using a scripted lookup, but I fail using a lookup before getting any results from search.
Something along the lines of
sourcetype=whatever give_mx_record_of("acme.org") |stats count by encryption_level
where give_mx_record_of("acme.org") would return coolmailer.com , which is what would be searched for, so while I enter acme.org into my (saved)search (because that is what I know), splunk actually searches for
sourcetype=whatever coolmailer.com |stats count by encryption_level
This particular example would probably yield just one line, or no result. I have a python script that does the conversion of acme.org to coolmailer.com , currently in the form of a lookup script (scripted lookup), but if it helps I can transform it to any other format.
Can splunk do such a thing, and if yes, how?
... View more