Solved: Re: How to a DNS lookup on the top 20 IP results r...

bkosick · ‎06-01-2016

Hi All,

I have a search that gives me the top 20 IP's visiting my website. I also, have a working dnslookup version of the search which is way slower. I'm trying to figure out how to do the dns lookup only on the top 20 results that are returned:

No DNS lookup, pretty quick

sourcetype=access_combined | top clientip limit=20

DNS lookup orders of magnitude slower

sourcetype=access_combined | lookup dnslookup clientip | top clientip,clienthost limit=20

I've also tried this, but it isn't quite what I want either:

[ search sourcetype=access_combined  | top clientip limit=20 | table clientip] | lookup dnslookup clientip | top clientip,clienthost

I want something like this:

sourcetype=access_combined | top clientip,clienthost limit=20 | lookup dnslookup clientip

I've set up dnsmasq on 127.0.0.1 on the search head and was curious where exactly the external_lookup.py script looks for dns resolution.

Thanks in advance
Brian

somesoni2 · ‎06-01-2016

How about this

 sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip

View solution in original post

somesoni2 · ‎06-01-2016

How about this

 sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip

bkosick · ‎06-01-2016

Ahh, that plus adding ...

sourcetype=access_combined | top clientip limit=20 | lookup dnslookup clientip | table clientip, clienthost, count, percent

Gives me exactly what I want

Thanks!

How to a DNS lookup on the top 20 IP results returned from a search?

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases

Detecting Remote Code Executions With the Splunk Threat Research Team