I'm running a query which returns destination ip address of external traffic of a user in one column something like that:
----dest-----
1.2.3.4
23.23.23.23
45.45.45.45
67.67.67.67
4.3.2.1
Which means the user access the IP addresses listed above (last 15 minutes for example)
I'm also running a different query to make DNS ptr record check of a given ip address something like that:
index=dnslogs sourcetype=ptr_data dns_name="1.2.3.4" | stats values(query)
and it returns something like that:
----------DNS Value---------
google.com
What I'm trying to do is:
AFTER my first query return this one column result, I want to iterate every value of the each raw into my next query to look for DNS ptr records and then merge the result of queries.
What I mean is I need to run every IP address in this query and then merge the results. In my case:
my ip addresess are 1.2.3.4, 23.23.23.23, 45.45.45.45, 67.67.67.67, 4.3.2.1
x.x.x.x is should be replaced by these ip addresses for each iteration
index=dnslogs sourcetype=ptr_data dns_name="x.x.x.x" | stats values(query)
And my expected results should look something like that:
----dest------ ---------DNS Value---------
1.2.3.4 google.com
23.23.23.23 NULL
45.45.45.45 whatsapp.com
web.whatsapp.com
67.67.67.67 twitter.com
4.3.2.1 NULL
The result above shows that some of query result return NULL, some of them return multiple values like 45.45.45.45 some of them only return one value.
Is there any way to do that something like that? These two query are completely different query. I looked at sub-search but it didn't work me or I couldn't do this.
... View more