Some (or probably most/all) of your searches might involve public IP addresses, and more often than not we would want to have additional info along with the IP address to work with.
Three of the things that we could do in Splunk automatically would be to get IP-location info, or to reverse lookup an IP to a domain, or to lookup a domain to an IP.
There’re two ways to do geolocating of IPs: using the iplocation command, or to use the MAXMIND app.
The command iplocation is described as:
Finds ips in _raw and looks up the IP location using the hostip.info database. IPs are extracted as ip1, ip2, etc. Cities and Countries are likewise extracted.
What we only need to do is to pipe the search to iplocation and let it do the rest! The lookups are done from the server on the fly, so make sure that the server is able to do whois/ns lookups on the network.
index=myindex | iplocation
1b. MAXMIND app
Like previously mentioned before: install the MAXMIND app, then pipe the field containing IPs to the lookup (the field name must be clientip, if not this will not work duh)
This can work with the server not having any internet connectivity, but the accuracy is entirely dependant on the cached MAXMIND database.
index=myindex | lookup geoip clientip
index=myindex2 | lookup geoip clientip as fieldwithip
2, 3. IP-hostname or hostname-IP
These two items are pretty similar. Spunk 4 comes with a lookup script called external_lookup.py, and the config is already in the default transforms.conf. So we only need to use it!
Resolving IPs to hostnames:
index=myindex | lookup dnslookup clientip
Resolving hostnames to IPs:
index=myindex | lookup dnslookup clienthost
(no screenshot, sorry :P)
Leave a comment if this helped, or if you want to ask anything!