首页 > 其他分享> > Splunk 丰富数据方法

Splunk 丰富数据方法


方法1: 查找 Step 1.创建CSV文件,首字段为索引字段(关联字段) 2.导入CSV文件,Settings, Lookups, Lookup tables files 3.配置Lookup definitions 4.配置Automatic lookups   方法2:在IP地址中添加主机名 Step 1.编辑/opt/splunk/etc/apps/search/local/transforms.conf 添加以下文本 [dnsLookup] external_cmd = external_lookup.py host ip fields_list = host, ip 2.执行以下搜索语句 index=main sourcetype="access_combined" | lookup dnsLookup clientip # 以上语句将字段clientip 上传到脚本使用DNS查找IP,返回clienthost。 开启自动外部字段查找,需编辑/opt/splunk/etc/apps/search/local/props.conf [access_combined] LOOKUP-dns = dnsLookup clientip OUTPUTNEW clienthost AS resolved_hostname   方法3:为给定的IP地址搜索ARIN # https://www.arin.net/ Step 1.Setting, Fields, Workflow actions 2.New, 勾选Show only objects created in this app context 3. Destination APP: search Name: ARIN_Lookup Label: Lookup $clientip$ in APIN Apply only to the following fields: clientip Show action  in: Both Action type: link Link configuration URL: http://whois.arin.net/rest/ip/$clientip$ Link configuration URL: http://tool.chinaz.com/ipwhois?q=$clientip$ # 测试 http://whois.arin.net/rest/ip/ # 测试 http://tool.chinaz.com/ipwhois?q= # 测试 http://ip.tool.chinaz.com/ #  测试https://translate.google.cn/#view=home&op=translate&sl=en&tl=zh-CN&text=drive-by%20download     Link method: get   方法4: 从数据库查询db connect

来源: https://www.cnblogs.com/lanshiyun/p/10703999.html