Hi All,
I have a search that gives me the top 20 IP's visiting my website. I also, have a working dnslookup version of the search which is way slower. I'm trying to figure out how to do the dns lookup only on the top 20 results that are returned:
No DNS lookup, pretty quick
sourcetype=access_combined | top clientip limit=20
DNS lookup orders of magnitude slower
sourcetype=access_combined | lookup dnslookup clientip | top clientip,clienthost limit=20
I've also tried this, but it isn't quite what I want either:
[ search sourcetype=access_combined | top clientip limit=20 | table clientip] | lookup dnslookup clientip | top clientip,clienthost
I want something like this:
sourcetype=access_combined | top clientip,clienthost limit=20 | lookup dnslookup clientip
I've set up dnsmasq on 127.0.0.1 on the search head and was curious where exactly the external_lookup.py script looks for dns resolution.
Thanks in advance
Brian
How about this
sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip
How about this
sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip
Ahh, that plus adding ...
sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip | table clientip, clienthost, count, percent
Gives me exactly what I want
Thanks!