- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to do a lookup for timechart headers
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to do a lookup for timechart headers
Hello!
I have made a timechart with a command: (...) *| timechart limit=10 sum(bytes) by src_ip* .
So I got top (really? why? - that is my first question) ten IP addresses - as column headers. Now I want to translate these into hostnames. And my second question: How to do that?
sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by src_ip | fields - OTHER | lookup ip_lookup ip as src_ip output host as src_ip
- this was my first idea, but it can't work as I don't have src_ip column now, only the 10.245.1.56, 10.245.1.57 etc. Next idea was to use rename command, but how can I rename every column, for example with eval? Wildcard is not working here.
The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found a way to do this, sort of. I did an untable that was recommended to be able to search a timechart.
So in yours, you would most likely need something like the following:
sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by src_ip | untable _time, src_ip, sum | lookup ip_lookup ip as src_ip output host as src_ip | timechart sum(sum) by host
You may have to play with it but that is the basis of what I did. Untable will pull the header values into a column, manipulate that, and then put it back into a timechart.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What if you did the lookup before the timechart command and change the timechart command to group by hostname. Something like this
sflow | eval bytes = formatbytestom(bytes) | lookup ip_lookup ip as src_ip output host as hostname | timechart limit=50 sum(bytes) by hostname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was my first thought but I noticed this in the description of the problem:
The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.
So I did not give that as a response.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Only problem with the above is that OTHER from the first timechart will come back with NULL in the second since OTHER is probably not in your lookup. If you put the lookup translation in there as well, it should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I imagine you could achieve this using the new foreach command that exists in Splunk 6.0 and onwards: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bump! Is it possible? 😞
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
