Re: How to resolve top 10 ip addresses

pjb2160 · ‎03-09-2018

So, I'm running the following on some logs which have the dest_ip but no url. I want to report on the top domains by bandwidth:

index=proxy bytes=* 
| fields + user dest_ip bytes bytes_in bytes_out 
| stats sum(bytes) as total_bytes sum(bytes_in) as total_bytes_in sum(bytes_out) as total_bytes_out by dest_ip 
| eval "Total Bandwidth"=round(((total_bytes/1024)/1024),2), "Download"=round(((total_bytes_in/1024)/1024),2), "Upload"=round(((total_bytes_out/1024)/1024),2) 
| table dest_ip,"Total Bandwidth","Download","Upload"
| rename dest_ip as "Target IP Address"
| sort limit=10 -"Total Bandwidth"

I figure, it'd be most efficient to try and resolve the top 10 ip addresses only. Any pointers?

Cheers,
pjb2160

Teddles · ‎03-12-2018

Hello pgj2160,

As mayurr98 has already said, try adding the following stanza to transforms.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

Then in your search, add a lookup:

| lookup dnsLookup ip AS dest_ip OUTPUT host AS "Target URL"

That should give you what you're after, but do let us know if it's no good!

mayurr98 · ‎03-09-2018

have a look at this answer
https://answers.splunk.com/answers/86585/resolve-ip-to-host.html

How to resolve top 10 ip addresses

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?