Splunk Search

How to do a lookup for timechart headers

lukasz92
Communicator

Hello!

I have made a timechart with a command: (...) *| timechart limit=10 sum(bytes) by src_ip* .

So I got top (really? why? - that is my first question) ten IP addresses - as column headers. Now I want to translate these into hostnames. And my second question: How to do that?


sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by src_ip | fields - OTHER | lookup ip_lookup ip as src_ip output host as src_ip

  • this was my first idea, but it can't work as I don't have src_ip column now, only the 10.245.1.56, 10.245.1.57 etc. Next idea was to use rename command, but how can I rename every column, for example with eval? Wildcard is not working here.

The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.

0 Karma

jsilverbears
Path Finder

I have found a way to do this, sort of. I did an untable that was recommended to be able to search a timechart.
So in yours, you would most likely need something like the following:
sflow | eval bytes = formatbytestom(bytes) | timechart limit=50 sum(bytes) by src_ip | untable _time, src_ip, sum | lookup ip_lookup ip as src_ip output host as src_ip | timechart sum(sum) by host

You may have to play with it but that is the basis of what I did. Untable will pull the header values into a column, manipulate that, and then put it back into a timechart.

0 Karma

sundareshr
Legend

What if you did the lookup before the timechart command and change the timechart command to group by hostname. Something like this

sflow | eval bytes = formatbytestom(bytes) | lookup ip_lookup ip as src_ip output host as hostname | timechart limit=50 sum(bytes) by hostname 
0 Karma

jsilverbears
Path Finder

That was my first thought but I noticed this in the description of the problem:

The problem is I dont't want to resolve all hostnames before drawing a chart (some thousands of ip addresses - it'd take many minutes), only top ten just after selecting top ten addresses.

So I did not give that as a response.

0 Karma

jsilverbears
Path Finder

Only problem with the above is that OTHER from the first timechart will come back with NULL in the second since OTHER is probably not in your lookup. If you put the lookup translation in there as well, it should work.

0 Karma

Ayn
Legend

I imagine you could achieve this using the new foreach command that exists in Splunk 6.0 and onwards: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Foreach

0 Karma

lukasz92
Communicator

Bump! Is it possible? 😞

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...