Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- About Snazter57
Snazter57
New Member
Member since:
12-20-2013
06-05-2020
Community Statistics
| Posts | 5 |
| Solutions | 0 |
| Karma Given | 0 |
| Karma Received | 0 |
| Member Since | 12-20-2013 |
Activity Feed
- Posted Re: IF DNS searched then lookup IP to allow search on IP in index on Splunk Search. 01-03-2014 07:14 AM
- Posted IF DNS searched then lookup IP to allow search on IP in index on Splunk Search. 01-02-2014 05:42 AM
- Tagged IF DNS searched then lookup IP to allow search on IP in index on Splunk Search. 01-02-2014 05:42 AM
- Tagged IF DNS searched then lookup IP to allow search on IP in index on Splunk Search. 01-02-2014 05:42 AM
- Posted Re: Display results only above a certain number on Splunk Search. 12-23-2013 02:42 AM
- Posted Re: Display results only above a certain number on Splunk Search. 12-20-2013 09:05 AM
- Posted Display results only above a certain number on Splunk Search. 12-20-2013 08:33 AM
- Tagged Display results only above a certain number on Splunk Search. 12-20-2013 08:33 AM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 |
01-03-2014
07:14 AM
Hi lguinn, I have been working with your answer on and off today and it is a good start and has got me thinking. The answer seems to have a problem outputting host as hostname if I set $srcinput as a DNS name. I may have interpreted your answer incorrectly as I can't see why the "where" command is needed or why. I am currently building the query in Search as I can't get the App to use external_lookup.py (I think I need to restart Splunk to accept the App changes, new transforms.conf etc). Do I need to do another search after the where once I have populated srcipToMatch?
... View more
01-02-2014
05:42 AM
I have an App that allows users to enter IP addresses and find if the connections between source and destination have been allowed.
I thought it would be useful if the user could enter a DNS entry as this is more user friendly so I started experimenting with searches that use the external_lookup.py script. I started off with this one just to prove the script worked:
index=network srcip=10.1.12.123 AND dstip=10.1.22.10 AND (scrport=80 OR dstport=88) AND Built
| lookup dnsLookup ip as srcip OUTPUT host AS scrhost
| lookup dnsLookup ip as dstip OUTPUT host AS dsthost
| table scrhost,srcport,dsthost,dstport,host
All well and good so far but what if the user enters a DNS name in the applications form and the search fields srcip and/or dstip become DNS names instead of IP addresses.
How do I tell dnsLookup to look for host? Do I even bother, would it be better to convert the DNS name back to an IP and keep the lookups as they are?
I know that external_lookup.py will perform Reverse DNS lookups but I can't get my head round how achieve this in this situation.
Should I just do a lookup for both then display the DNS returns only (I don't want the IP addresses in the results only the DNS)?
Any thoughts are welcome.
It probably worth pointing out that the index contains no DNS entries only IP addresses.
... View more
12-23-2013
02:42 AM
Thanks lguinn (and somesoni2) that has indeed helped. I had to remove the filenull value="N/A" and change to "" then use replace to populate blank IP_PORT values in a table i added to the end of the query.
... View more
12-20-2013
09:05 AM
Hi lguinn, I had previously tried using that method but when the table populates I get the correct count in two records as expected but the GEN_ERR and URL_OR_APP are marked as N/A by the fillnull command. Omitting fillnull it returns 20 events but no table.
... View more
12-20-2013
08:33 AM
Hi all,
I am having trouble displaying search results when I specify that the returned results must be greater than six in the specified time period.
I have looked at:
http://answers.splunk.com/answers/70433/display-results-only-above-certain-number
The query I have works until I use the stats command to perform counting. Its been a long day so it will most likely be something simple but I just can't see it yet, so here goes:
"Error during SSL Handshake" OR "Connection timed out" OR "Connection refused"
| rex "Connection (?<CONN_ERR>.+): proxy: HTTPS: attempt to connect to (?<IP_PORT>.+) \((?<URL_ID>.+)\).+"
| rex "] proxy: (?<SSL_ERR>.+) with remote server returned by (?<APP_ID>.+)"
| eval GEN_ERR=mvappend (CONN_ERR,"",SSL_ERR)
| eval URL_OR_APP=mvappend (URL_ID,"",APP_ID)
| fillnull value=N/A
| table host, GEN_ERR, IP_PORT, URL_OR_APP
This query returns a fully populated table with nine "timed out" errors and eleven "SSL" errors in my test time frame.
If I try to
stats count by host, GEN_ERR, IP_PORT, URL_OR_APP
| search count > 6
| table host, GEN_ERR, IP_PORT, URL_OR_APP
The table then becomes a little bit of a mess with what appears to be (from the count displayed) duplicates with blank fields and then also the fully populated returns on separate lines.
Where did I go wrong?
... View more
- Tags:
- stats
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:03 AM
|
