Solved: How to a DNS lookup on the top 20 IP results retur...

bkosick · ‎06-01-2016

Hi All,

I have a search that gives me the top 20 IP's visiting my website. I also, have a working dnslookup version of the search which is way slower. I'm trying to figure out how to do the dns lookup only on the top 20 results that are returned:

No DNS lookup, pretty quick

sourcetype=access_combined | top clientip limit=20

DNS lookup orders of magnitude slower

sourcetype=access_combined | lookup dnslookup clientip | top clientip,clienthost limit=20

I've also tried this, but it isn't quite what I want either:

[ search sourcetype=access_combined  | top clientip limit=20 | table clientip] | lookup dnslookup clientip | top clientip,clienthost

I want something like this:

sourcetype=access_combined | top clientip,clienthost limit=20 | lookup dnslookup clientip

I've set up dnsmasq on 127.0.0.1 on the search head and was curious where exactly the external_lookup.py script looks for dns resolution.

Thanks in advance
Brian

somesoni2 · ‎06-01-2016

How about this

 sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip

View solution in original post

somesoni2 · ‎06-01-2016

How about this

 sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip

bkosick · ‎06-01-2016

Ahh, that plus adding ...

sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip | table clientip, clienthost, count, percent

Gives me exactly what I want

Thanks!

How to a DNS lookup on the top 20 IP results returned from a search?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...