Hello!
I have made a timechart with a command: (...) *| timechart limit=10 sum(bytes) by src_ip*
.
So I got top (really? why? - that is my first question) ten IP addresses - as column headers. Now I want to translate these into hostnames. And my second question: How to do that?
sflow
| eval bytes = formatbytestom(bytes)
| timechart limit=50 sum(bytes) by src_ip | fields - OTHER | lookup ip_lookup ip as src_ip output host as src_ip
The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.
I have found a way to do this, sort of. I did an untable that was recommended to be able to search a timechart.
So in yours, you would most likely need something like the following:
sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by src_ip | untable _time, src_ip, sum | lookup ip_lookup ip as src_ip output host as src_ip | timechart sum(sum) by host
You may have to play with it but that is the basis of what I did. Untable will pull the header values into a column, manipulate that, and then put it back into a timechart.
What if you did the lookup
before the timechart
command and change the timechart
command to group by hostname. Something like this
sflow | eval bytes = formatbytestom(bytes) | lookup ip_lookup ip as src_ip output host as hostname | timechart limit=50 sum(bytes) by hostname
That was my first thought but I noticed this in the description of the problem:
The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.
So I did not give that as a response.
Only problem with the above is that OTHER from the first timechart will come back with NULL in the second since OTHER is probably not in your lookup. If you put the lookup translation in there as well, it should work.
I imagine you could achieve this using the new foreach
command that exists in Splunk 6.0 and onwards: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach
Bump! Is it possible? 😞