Solved: Re: DNSLOOKUP for a Destination Host, only the Sou...

rfiscus · ‎10-21-2015

I am apparently doing something wrong with the Destination Host dnslookup, it shows the Source Host instead. Any ideas on why I can't translate the destination IP into a host? It should be pulling the IP from the log file name which is correct, the destination IP works. The Destination Host is the only thing incorrect.

index = syslog sourcetype = cisco:ios configured
| rex field=source "^/\w+/\w+/\w+/(?<SourceIP>\w+\.\w+\.\w+\.\w+).log"
| eval "Destination IP" = SourceIP
| eval "Source IP" = src_ip
| lookup dnslookup clientip AS "Source IP"
| eval "Source Host" = upper(clienthost)
| lookup dnslookup clientip AS "Destination Host"
| eval "Destination Host" = upper(clienthost)
| eval Date = strftime(_time,"%m-%d-%Y %I:%M")
| eval Username = upper(user)
| eval Message = upper(message_text)
| eventstats count AS "Event Count" BY Date "Source IP" "Destination IP" Username Message
| dedup Date "Destination IP" Username Message
| table Date "Source IP" "Source Host" "Destination IP" "Destination Host" Username Message "Event Count"
| sort Date "Destination IP" Desc

rfiscus · ‎10-21-2015

This fixed it, thanks Bert!

| rename clienthost AS "Source Host" 
| lookup dnslookup clientip AS SourceIP
| eval "Destination Host" = upper(clienthost)

View solution in original post

rfiscus · ‎10-21-2015

This fixed it, thanks Bert!

| rename clienthost AS "Source Host" 
| lookup dnslookup clientip AS SourceIP
| eval "Destination Host" = upper(clienthost)

DNSLOOKUP for a Destination Host, only the Source Host is working.

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability