Re: Use a lookup of one field to populate a search

mpitts · ‎10-29-2013

I'm trying to build a server healthcheck dashboard in which a user enters a hostname and is returned a series. One of the panels I would like to return is a search of our load balancer logs showing if the server has any failed monitors. My problem is that the load balancer logs record everything by IP. So I need to be able to take the hostname that the user enters, perform a DNS lookup on it, then use the resulting IP in a search of the load balancer logs.

I've gotten as far as being able to perform the DNS lookup of the hostname, but I can't figure out how to then take and perform the second search.

Thanks for any help.

somesoni2 · ‎10-30-2013

Other simpler option on the similar line woud be:-

sourcetype=ltm_log | lookup dnslookup clientip as host | rename clinethost as hostname| "your filter"

mpitts · ‎10-30-2013

I figured this one out with a subsearch:

sourcetype=ltm_log [search host=foo | lookup dnslookup clienthost as host | rename clientip as ltm_pool_member | return ltm_pool_member]

What this does is execute the subsearch and return 'ltm_pool_member="x.x.x.x"' to the parent search.

ShaneNewman · ‎10-29-2013

You need to get the data from the dns lookup into Splunk, either as a lookup file (csv) or by having the data indexed with a timestamp. If you create a lookup or csv file, make sure that file is inside a lookups folder inside a Splunk app. The it is as simple as:

some_search | lookup lookupfilename.csv hostname OUTPUT <field-list>

Use a lookup of one field to populate a search

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!