Hi, I know my question is a little bland, so I'll elaborate here:
If I have a user with IP 10.7.102.36 going to www.google.com, and I find both "google.com" and the source IP through our infoblox DNS and place them into a table. How would I find the IP, and place it into the same table? With the table looking something like this:
|| google.com || 10.7.102.36 || John.Doe || _time
The sourcetype required to get the webpage and the IP address is "infoblox:dns", and the sourcetype required to get the username for that IP address is "ias"
Here is my search:
index=* (sourcetype="infoblox:dns") page_name!="" dns_request_client_ip!=""
| table page_name dns_request_client_ip user _time
| search (page_name=*)
| rename page_name as "Site" dns_request_client_ip as "Client IP" | sort - _time
I'd appreciate any help you can give me. I'm quite new to splunk, so this is a relatively difficult task for me.
There are several ways to do this:
Start here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/Aboutlookupsandfieldactions
Hi @henryessinghigh,
you could use the join command but I don't hint it because it's a very slow command or stats:
index=* sourcetype=infoblox:dns page_name!="" dns_request_client_ip!="" page_name=*
| stats values(page_name) AS page_name values(user) AS user earliest(_time) AS _time BY dns_request_client_ip
| mvexpand page_name
| mvexpand user
| rename page_name as "Site" dns_request_client_ip as "Client IP"
| sort - _time
Ciao.
Giuseppe