I'm trying to build a server healthcheck dashboard in which a user enters a hostname and is returned a series. One of the panels I would like to return is a search of our load balancer logs showing if the server has any failed monitors. My problem is that the load balancer logs record everything by IP. So I need to be able to take the hostname that the user enters, perform a DNS lookup on it, then use the resulting IP in a search of the load balancer logs.
I've gotten as far as being able to perform the DNS lookup of the hostname, but I can't figure out how to then take and perform the second search.
Thanks for any help.
Other simpler option on the similar line woud be:-
sourcetype=ltm_log | lookup dnslookup clientip as host | rename clinethost as hostname| "your filter"
I figured this one out with a subsearch:
sourcetype=ltm_log [search host=foo | lookup dnslookup clienthost as host | rename clientip as ltm_pool_member | return ltm_pool_member]
What this does is execute the subsearch and return 'ltm_pool_member="x.x.x.x"' to the parent search.
You need to get the data from the dns lookup into Splunk, either as a lookup file (csv) or by having the data indexed with a timestamp. If you create a lookup or csv file, make sure that file is inside a lookups folder inside a Splunk app. The it is as simple as:
some_search | lookup lookupfilename.csv hostname OUTPUT <field-list>