Splunk Search

Lookup of DNS from proxy logs to enrich firewall traffic search

alandeandrea
Explorer

I'm looking to enrich a search of firewall IP data with DNS host data from proxy logs. To be clear, I don't want to do a DNS reverse lookup, I want to use information that is already in my proxy logs.

So basically, I'm looking to enrich the output of Search 1 (firewalls_traffic) by adding a field with a value based on the results of Search 2 (proxy_logs.)

Search 1:

sourcetype=firewall_traffic (some criteria * ) | stats sum(bytes_sent), count(repeat_count) by src_ip,application,dst_ip | ?? Add new field with values from Search 2 ?? | sort 10 -bytes_sent

Search 2:

sourcetype=proxy_logs ?? dst_ip value from Search 1 ?? | fields dns_name | head 1

Thanks,
Al

0 Karma

proletariat99
Communicator

So you can use a splunk subsearch, but it's not very intuitive and the docs are relatively worthless, with only the simplest examples. Essentially, you sort of have to do it backwards. In other words, you need your proxy search first and your firewall search second. Kind of like this:

 sourcetype=proxy_logs dst_ip = [sourcetype=firewall_traffic (some criteria * ) | stats sum(bytes_sent), count(repeat_count) by src_ip,application,dst_ip | sort 10 -bytes_sent | fields src_ip]| fields dns_name | head 1

I can't really test this, but hopefully you get the idea.

Hope that helps!

0 Karma

satishsdange
Builder
0 Karma

alandeandrea
Explorer

Thanks for the link, and from the description you would think it should help, but it doesn't.

I have used subsearches but only in another context, namely to supply search criteria to an 'outer' search with results from an 'inner' search.

I'm not looking to do that here... I'm looking to add an additional field and values to Search 1 based on data in Search 2.

0 Karma

alandeandrea
Explorer

Actually I need to investigate your feedback a bit more... thanks for the tip.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...