I am generating a daily report for all IP addresses that are bypassing internal DNS server.

For e.g.

index=fw_logs earliest=-24h dst_port=53 src_ip!=DNS_Servers  dst_ip!=Intranet_Subnet| eventstats count by src_ip dst_ip  | dedup src_ip | sort -count|table receive_time, src_ip, src_host, dst_ip,count,action

Result of the query:

receive_time                            src_ip            dst_IP    count     action
2014/10/01 13:33:47              10.1.1.1        8.8.8.8    5             Allow

Now, I would like to add another hostname column to the report which is the FQDN for the IP under src_ip. If I was doing it in real time or every couple of hours, I can use the internal dnslookup and it works. But if I am looking at older events a few hours later, in a DHCP environment, IP-Name mapping changes. I have that information available in a different index though.

Here are the log entries from the index dhcp:

10/1/14 1:12:48.000 PM  32,10/01/14,13:12:48,DNS Update Successful,10.1.1.1,cool7234.somecompany.com,,,0,6,,,
10/1/14 1:45:08.000 PM  32,10/01/14,13:45:08,DNS Update Successful,10.1.1.1,cool7234.somecompany.com,,,0,6,,,

I am trying to populate the host part in the daily report above. The problem is I cannot provide exact time to DHCP in a subsearch. The time will be around the receive_time when the event in the report was triggered. How do I get the FQDN from index=dhcp using the IP and time from the first search where index=fw_logs?