Hello,
I have the following tstats query that I do not understand why it is not returning the FQDN
Here's the query I started off with that works:
| tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log. src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| table host,src_zone,src_ip,dest_zone,dest_ip,dest_port
In the following query, I want to resolve both the 'src_ip' and 'dest_ip' to a FQDN but is not working with no error notification or any indication the matched event counter was incrementing.
|tstats summariesonly=t count FROM datamodel="pan_firewall" where nodename="log" log.vendor_action!=allow groupby host,log.src_zone,log.src_ip,log.dest_zone,log.dest_ip,log.dest_port
| rename log.* AS *
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
If I run a similar command, the 'dnslookup' works.
index=* sourcetype=* vendor_action!=allow
| lookup dnslookup clientip AS src_ip output clienthost AS src_hostname
| lookup dnslookup clientip AS dest_ip output clienthost AS dest_hostname
| table host,src_zone,src_ip,src_hostname,dest_zone,dest_ip,dest_hostname,dest_port
↧