Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to resolve top 10 ip addresses

pjb2160
Path Finder
‎03-09-2018 01:59 AM

So, I'm running the following on some logs which have the dest_ip but no url. I want to report on the top domains by bandwidth:

index=proxy bytes=* 
| fields + user dest_ip bytes bytes_in bytes_out 
| stats sum(bytes) as total_bytes sum(bytes_in) as total_bytes_in sum(bytes_out) as total_bytes_out by dest_ip 
| eval "Total Bandwidth"=round(((total_bytes/1024)/1024),2), "Download"=round(((total_bytes_in/1024)/1024),2), "Upload"=round(((total_bytes_out/1024)/1024),2) 
| table dest_ip,"Total Bandwidth","Download","Upload"
| rename dest_ip as "Target IP Address"
| sort limit=10 -"Total Bandwidth"

I figure, it'd be most efficient to try and resolve the top 10 ip addresses only. Any pointers?

Cheers,
pjb2160

0 Karma
Reply

Teddles
Explorer
‎03-12-2018 09:29 PM

Hello pgj2160,

As mayurr98 has already said, try adding the following stanza to transforms.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

Then in your search, add a lookup:

| lookup dnsLookup ip AS dest_ip OUTPUT host AS "Target URL"

That should give you what you're after, but do let us know if it's no good!

Reply

mayurr98
Super Champion
‎03-09-2018 03:21 AM

have a look at this answer
https://answers.splunk.com/answers/86585/resolve-ip-to-host.html

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...