Solved: DNSLOOKUP for a Destination Host, only the Source ...

rfiscus · ‎10-21-2015

I am apparently doing something wrong with the Destination Host dnslookup, it shows the Source Host instead. Any ideas on why I can't translate the destination IP into a host? It should be pulling the IP from the log file name which is correct, the destination IP works. The Destination Host is the only thing incorrect.

index = syslog sourcetype = cisco:ios configured
| rex field=source "^/\w+/\w+/\w+/(?<SourceIP>\w+\.\w+\.\w+\.\w+).log"
| eval "Destination IP" = SourceIP
| eval "Source IP" = src_ip
| lookup dnslookup clientip AS "Source IP"
| eval "Source Host" = upper(clienthost)
| lookup dnslookup clientip AS "Destination Host"
| eval "Destination Host" = upper(clienthost)
| eval Date = strftime(_time,"%m-%d-%Y %I:%M")
| eval Username = upper(user)
| eval Message = upper(message_text)
| eventstats count AS "Event Count" BY Date "Source IP" "Destination IP" Username Message
| dedup Date "Destination IP" Username Message
| table Date "Source IP" "Source Host" "Destination IP" "Destination Host" Username Message "Event Count"
| sort Date "Destination IP" Desc

rfiscus · ‎10-21-2015

This fixed it, thanks Bert!

| rename clienthost AS "Source Host" 
| lookup dnslookup clientip AS SourceIP
| eval "Destination Host" = upper(clienthost)

View solution in original post

rfiscus · ‎10-21-2015

This fixed it, thanks Bert!

| rename clienthost AS "Source Host" 
| lookup dnslookup clientip AS SourceIP
| eval "Destination Host" = upper(clienthost)

DNSLOOKUP for a Destination Host, only the Source Host is working.

Index This | Forward, I’m heavy; backward, I’m not. What am I?

A Guide To Cloud Migration Success

Join Us for Splunk University and Get Your Bootcamp Game On!