(Splunk 7.2.3)
I have a single windows domain.
Inside that domain I have 2 subnets, 192.168.1.x, 192.168.2.x.
I have 19 hosts, spread across the 2 subnets.
All devices report their "host=" as an IP address, not a hostname
I ran the search:
index=x | dedup host | lookup clientip AS host OUTPUT clienthost AS hostname | table host forwarder hostname
And I have some issues with the results:
Issue 1)
When I inspect the search job, the "command.lookup" portion takes 217 seconds. This is searching the entire index of ~200 logs across the past week. The search with no lookup takes about 3 seconds to display the results.
I cannot find any logs relating to this delay, at least not in the /var/log/splunk directory. No timeouts or anything.
Issue 2)
Of my 19 hosts in the result table, only 9 actually have a "hostname" field. Closer inspection reveals that the missing hosts are all on the same subnet, the 192.168.2.x. For some reason, only one subnet is being pulled.
I have 2 search heads, one at each location, so I ran the same search from the other search head (192.168.2.x) . OPPOSITE RESULTS. All the 192.168.1.x hosts are missing the lookup data.
When I run a basic nslookup command from a workstation, the results and response time are identical for either subnet. So, I assume the script is doing something else, but I am not entirely sure which script is running this nslookup.
Is my search taking long because of timeouts for the failing subnet?
I changed my search to specify only one subnets worth of devices:
index=x subnet=1 | dedup host | lookup clientip AS host OUTPUT clienthost AS hostname | table host forwarder hostname
This result returns all 9 subnet1 host IPs with corresponding hostnames, but the search still took 71 seconds. So timeouts may have had a small part to play, but are definitely not the full culprit.
↧