- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- new field using information from other sourcetype
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
new field using information from other sourcetype
Hello,
I have two sourcetypes: pan_threat and pan_traffic (app SplunkforPaloAltoNetworks).
In pan_threat I have the relation between destinationIP and destinationHostname, and in pan_traffic I have only destinationIP.
I want to create a new field in pan_traffic with the destinationHostname info using the pan_threat information.
I used the external_lookup.py to do a reverse dns resolution but the reverse dns resolution is not equal to the destinationHostname in pan_threat.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Well a field is defined either through a field extraction or a tranforms.conf file and is usually set by sourcetype or source.
If the dst_hostname information is available but not extracted in pan_traffic you can extract it with the rex command using a regular expression. This will create a new field you can use with that sourcetype.
Otherwise if the dst_hostname field doesn't exist in pan_trafic and you want to use it you can use an appended search to add that search. Something like this:
sourcetype=pan_traffic dst_ip=* | append [search sourcetype=pan_threat | fields dst_ip,dst_hostname> ] | stats values(dst_ip) by dst_hostname
but it will only be able to pull the dst_hostnames where they match the dst_ip of the pan_traffic sourcetype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kate,
I want to add a new hostname field in pan_traffic using the information that I have in pan_threat.
pan_traffic has only dst_ip, and pan_threat has a dst_ip and dst_hostname.
I want a dst_hostname field in pan_traffic.
Thank you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If I'm reading this correctly you want the pass the hostname available in the pan-threat source but use that hostname in the pan-traffic data.
You should be able to do that with a subsearch; something like:
sourcetype=pan_traffic destinationIP=* [search sourcetype=pan_threat | fields destinationHostname] | stats values(destinationIP) BY destinationHostname
This basically does a join and finds where the destinationIP matches and pulls the hostname field out so it can be reported on.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
