Solved: DNS Resolution: How to convert a hostname entered ...

peters1901 · ‎07-06-2016

I am taking a hostname through a form textbox. I want to convert that hostname to an IP address and use that IP address in a search. How can I accomplish this?

MuS · ‎07-06-2016

Hi peters1901,

this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:

ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3

Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down:

<form>
  <label>Host name to ip search</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>index=_internal host=* | dedup host | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.

Hope this helps to get you started ...

cheers, MuS

View solution in original post

somesoni2 · ‎07-06-2016

Assuming that you've dnslookup configured, update your search like this

Use IP address for the hostname as filter in base search (assuming you've a field named ip_address in your data)

index=foo sourcetype=bar [| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | table ip_address ]

Use Use IP address for the hostname as a field value

your base search | eval ip_address=[| gentimes start=-1 | eval host="$hostnametoken$" | dnslookup host ip_address | eval query="\"".ip_address."\"" | table query ]

MuS · ‎07-06-2016

Hi peters1901,

this is not really a DNS resolution, but it will show you how it can be done using a lookup table containing host name and ip's:

ip,host
192.168.56.10,master
192.168.56.11,node1
192.168.56.12,node2
192.168.56.13,node3

Using this dash board you will be able to search in index=_internal for an IP based on the select host name in the drop down:

<form>
  <label>Host name to ip search</label>
  <fieldset submitButton="true">
    <input type="dropdown" token="host" searchWhenChanged="true">
      <label>Host</label>
      <search>
        <query>index=_internal host=* | dedup host | table host</query>
      </search>
      <fieldForLabel>host</fieldForLabel>
      <fieldForValue>host</fieldForValue>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=_internal [ search index=_* host=$host$ | lookup ip2hosts host | dedup host | rename ip AS clientip | return clientip ] | timechart span=1d count by clientip</query>
          <earliest>0</earliest>
          <latest></latest>
        </search>
        <option name="wrap">true</option>
        <option name="rowNumbers">false</option>
        <option name="dataOverlayMode">none</option>
        <option name="count">10</option>
        <option name="charting.axisLabelsX.majorLabelStyle.overflowMode">ellipsisNone</option>
        <option name="charting.axisLabelsX.majorLabelStyle.rotation">0</option>
        <option name="charting.axisTitleX.visibility">visible</option>
        <option name="charting.axisTitleY.visibility">visible</option>
        <option name="charting.axisTitleY2.visibility">visible</option>
        <option name="charting.axisX.scale">linear</option>
        <option name="charting.axisY.scale">linear</option>
        <option name="charting.axisY2.enabled">0</option>
        <option name="charting.axisY2.scale">inherit</option>
        <option name="charting.chart">column</option>
        <option name="charting.chart.bubbleMaximumSize">50</option>
        <option name="charting.chart.bubbleMinimumSize">10</option>
        <option name="charting.chart.bubbleSizeBy">area</option>
        <option name="charting.chart.nullValueMode">gaps</option>
        <option name="charting.chart.showDataLabels">none</option>
        <option name="charting.chart.sliceCollapsingThreshold">0.01</option>
        <option name="charting.chart.stackMode">default</option>
        <option name="charting.chart.style">shiny</option>
        <option name="charting.drilldown">all</option>
        <option name="charting.layout.splitSeries">0</option>
        <option name="charting.layout.splitSeries.allowIndependentYRanges">0</option>
        <option name="charting.legend.labelStyle.overflowMode">ellipsisMiddle</option>
        <option name="charting.legend.placement">right</option>
      </chart>
    </panel>
  </row>
</form>

Of course you need to adapt it to your needs and don't nail me on performance, since I never tested this in larger environments 😉
Based on the docs about external lookups http://docs.splunk.com/Documentation/Splunk/6.4.1/Knowledge/Configureexternallookups#External_lookup... you can replace the text file based lookup with a script based lookup.

Hope this helps to get you started ...

cheers, MuS

jkat54 · ‎07-06-2016

Is it a form textbox in a XML dashboard, HTML dashboard, or what? Give us more details.

peters1901 · ‎07-06-2016

it is an XML dashboard

DNS Resolution: How to convert a hostname entered in a textbox input form to an IP address to be used in a search?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!