Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

If an IP is put into a table, how would I get the username from a seperate log?

henryessinghigh
New Member
‎01-29-2020 07:51 AM

Hi, I know my question is a little bland, so I'll elaborate here:

If I have a user with IP 10.7.102.36 going to www.google.com, and I find both "google.com" and the source IP through our infoblox DNS and place them into a table. How would I find the IP, and place it into the same table? With the table looking something like this:

|| google.com || 10.7.102.36 || John.Doe || _time

The sourcetype required to get the webpage and the IP address is "infoblox:dns", and the sourcetype required to get the username for that IP address is "ias"

Here is my search:

index=* (sourcetype="infoblox:dns") page_name!="" dns_request_client_ip!=""
| table page_name dns_request_client_ip user _time
| search (page_name=*)
| rename page_name as "Site" dns_request_client_ip as "Client IP" | sort - _time

I'd appreciate any help you can give me. I'm quite new to splunk, so this is a relatively difficult task for me.

0 Karma
Reply

nickhills
Ultra Champion
‎01-29-2020 08:36 AM

There are several ways to do this:

  • join - use with caution. Join performs confusingly (if you know SQL) and in many cases poorly vs other methods, but it does have uses.
  • stats - oftten faster than join, but may require some manipulation to get your desired results
  • lookup - my preferred solution, and particularly advantageous if you have values you freqently wish to corrolate.

Start here: https://docs.splunk.com/Documentation/Splunk/8.0.1/Knowledge/Aboutlookupsandfieldactions

If my comment helps, please give it a thumbs up!
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-29-2020 08:35 AM

Hi @henryessinghigh,
you could use the join command but I don't hint it because it's a very slow command or stats:

index=* sourcetype=infoblox:dns page_name!="" dns_request_client_ip!="" page_name=*
| stats values(page_name) AS page_name values(user) AS user earliest(_time) AS _time BY dns_request_client_ip 
| mvexpand page_name
| mvexpand user
| rename page_name as "Site" dns_request_client_ip as "Client IP" 
| sort - _time

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...