I'm running a query which returns destination ip address of external traffic of a user in one column something like that:
----dest-----
1.2.3.4
23.23.23.23
45.45.45.45
67.67.67.67
4.3.2.1
Which means the user access the IP addresses listed above (last 15 minutes for example)
I'm also running a different query to make DNS ptr record check of a given ip address something like that:
index=dnslogs sourcetype=ptr_data dns_name="1.2.3.4" | stats values(query)
and it returns something like that:
----------DNS Value---------
google.com
What I'm trying to do is:
**AFTER** my first query **return** this one column result, I want to iterate every value of the each raw into my next query to look for DNS ptr records and then merge the result of queries.
What I mean is I need to run every IP address in this query and then merge the results. In my case:
my ip addresess are 1.2.3.4, 23.23.23.23, 45.45.45.45, 67.67.67.67, 4.3.2.1
x.x.x.x is should be replaced by these ip addresses for each iteration
index=dnslogs sourcetype=ptr_data dns_name="x.x.x.x" | stats values(query)
And my expected results should look something like that:
----dest------ ---------DNS Value---------
1.2.3.4 google.com
23.23.23.23 NULL
45.45.45.45 whatsapp.com
web.whatsapp.com
67.67.67.67 twitter.com
4.3.2.1 NULL
The result above shows that some of query result return **NULL**, some of them return **multiple values** like 45.45.45.45 some of them only return **one** value.
Is there any way to do that something like that? These two query are completely different query. I looked at sub-search but it didn't work me or I couldn't do this.
↧