All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use a lookup of one field to populate a search

mpitts
Explorer
‎10-29-2013 05:43 PM

I'm trying to build a server healthcheck dashboard in which a user enters a hostname and is returned a series. One of the panels I would like to return is a search of our load balancer logs showing if the server has any failed monitors. My problem is that the load balancer logs record everything by IP. So I need to be able to take the hostname that the user enters, perform a DNS lookup on it, then use the resulting IP in a search of the load balancer logs.

I've gotten as far as being able to perform the DNS lookup of the hostname, but I can't figure out how to then take and perform the second search.

Thanks for any help.

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎10-30-2013 10:04 AM

Other simpler option on the similar line woud be:-

sourcetype=ltm_log | lookup dnslookup clientip as host | rename clinethost as hostname| "your filter"

0 Karma
Reply

mpitts
Explorer
‎10-30-2013 07:13 AM

I figured this one out with a subsearch:

sourcetype=ltm_log [search host=foo | lookup dnslookup clienthost as host | rename clientip as ltm_pool_member | return ltm_pool_member]

What this does is execute the subsearch and return 'ltm_pool_member="x.x.x.x"' to the parent search.

Reply

ShaneNewman
Motivator
‎10-29-2013 06:13 PM

You need to get the data from the dns lookup into Splunk, either as a lookup file (csv) or by having the data indexed with a timestamp. If you create a lookup or csv file, make sure that file is inside a lookups folder inside a Splunk app. The it is as simple as:

some_search | lookup lookupfilename.csv hostname OUTPUT <field-list>
0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...