lookup dnslookup clientip as source_ip OUTPUT clienthost as PTR
Just replace the "source_ip" with whatever the IP field is you want looked up, and PTR is just the new cosmetic name of the column it adds.
Here's an example:
Sunday, June 25, 2017
Splunk: Lookup PTR record for an IP address field
Here is a quick way to lookup an IP address PTR record in Splunk using a simple 'lookup' command. I use this with a dashboard panel for a pfsense index (my pfsense machine syslog's to Splunk). The downside is that this does lookups on a per search basis so the searches take a longer time to load. I find it best to limit the amount of IP's prior to doing a PTR lookup to save time.
lookup dnslookup clientip as source_ip OUTPUT clienthost as PTR
Just replace the "source_ip" with whatever the IP field is you want looked up, and PTR is just the new cosmetic name of the column it adds.
Here's an example:
lookup dnslookup clientip as source_ip OUTPUT clienthost as PTR
Just replace the "source_ip" with whatever the IP field is you want looked up, and PTR is just the new cosmetic name of the column it adds.
Here's an example:
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment