Splunk 丰富数据方法
作者:互联网
方法1: 查找
Step
1.创建CSV文件,首字段为索引字段(关联字段)
2.导入CSV文件,Settings, Lookups, Lookup tables files
3.配置Lookup definitions
4.配置Automatic lookups
方法2:在IP地址中添加主机名
Step
1.编辑/opt/splunk/etc/apps/search/local/transforms.conf
添加以下文本
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip
2.执行以下搜索语句
index=main sourcetype="access_combined" | lookup dnsLookup clientip
# 以上语句将字段clientip 上传到脚本使用DNS查找IP,返回clienthost。
开启自动外部字段查找,需编辑/opt/splunk/etc/apps/search/local/props.conf
[access_combined]
LOOKUP-dns = dnsLookup clientip OUTPUTNEW clienthost AS resolved_hostname
方法3:为给定的IP地址搜索ARIN
# https://www.arin.net/
Step
1.Setting, Fields, Workflow actions
2.New, 勾选Show only objects created in this app context
3.
Destination APP: search
Name: ARIN_Lookup
Label: Lookup $clientip$ in APIN
Apply only to the following fields: clientip
Show action in: Both
Action type: link
Link configuration URL: http://whois.arin.net/rest/ip/$clientip$
Link configuration URL: http://tool.chinaz.com/ipwhois?q=$clientip$
# 测试 http://whois.arin.net/rest/ip/202.96.134.133
# 测试 http://tool.chinaz.com/ipwhois?q=202.96.134.133
# 测试 http://ip.tool.chinaz.com/202.96.134.133
# 测试https://translate.google.cn/#view=home&op=translate&sl=en&tl=zh-CN&text=drive-by%20download
Link method: get
方法4: 从数据库查询db connect
标签:http,ip,dnsLookup,Step,Lookup,Splunk,clientip,方法,丰富 来源: https://www.cnblogs.com/lanshiyun/p/10703999.html