Excluding Infoblox Members from Reports

Posts: 183
3277     1

For some of the "top 10" reports I would like to exclude the Infoblox grid members.  Because of our configuration reports like Top DNS Clients, will be dominated by grid members forwardarding queries to other grid members.  There are times I want to see that but most of the time, that is just noise.

Most of the time, the data only has the IP of the client(grid member) so the nios_member_ip_lookup isn't any help as it takes the wrong info,  it takes the name and gives the IP.  I need the other way around.

This code is what I came up with and it works but is slow.   Its fine when there are a few clients to verify but doing a reverse DNS lookup on thousands of IP's is not a good option.  Is there a better way of doing this? 

 | lookup dnslookup clientip as CLIENT OUTPUT clienthost as CLIENT_NAME
      | fillnull value="" CLIENT_NAME
       | lookup nios_member_ip_lookup host as CLIENT_NAME OUTPUT MEMBER_IP as memberip 
       |where isnull(memberip)

Re: Excluding Infoblox Members from Reports

[ Edited ]
Posts: 2
3278     1

You can easily add some regex to your search string to exclude results and create a new report/dashboard from there. Remember that if you want to modify existing dashboards/reports it's better to clone them and edit those.


Add this to the Top DNS Clients search string to exclude some sources (In this example there are 3 infoblox name-server with ip address, and | regex Client!="192.168.1.(1|2|3)"


Full search:

index=ib_dns_summary report=si_dns_top_clients | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats  sum(COUNT) as CLIENT_QUERIES by CLIENT   | sort  -CLIENT_QUERIES   | head  10   | eventstats  sum(CLIENT_QUERIES) as TOTAL   | eval  PERCENT=round(CLIENT_QUERIES*100/TOTAL,1)   | eval  PCLIENT=CLIENT+" ("+PERCENT+"%)"   | rename  PCLIENT as Client, CLIENT_QUERIES as Queries   | fields  Client, Queries  | regex Client!="192.168.1.(1|2|3) "


John Neerdael
Professional Services Engineer EMEA

Re: Excluding Infoblox Members from Reports

Posts: 183
3278     1

I have over 100 grid members, with adds and removes to the grid on a monthly basis, so a hard coded regex in each search is not really a scalable solution.  I need something that is as fast as a regex or lookup table but is automatically kept in sync with the current grid members.


Re: Excluding Infoblox Members from Reports

Posts: 183
3278     1

I had it in my head that lookup tables had a defined input and output fields. They don’t, so the NIOS_members_ip.csv can take either field as an input and give you the other field as an output.  This means the above code is not needed. Just a single lookup and null check is all that is needed.


It’s now on my list to make this into a radio button input field so the grid members can be shown or hidden as a dashboard selection.   It’s down on my list a ways though. I’ll update if I ever get to it.

Showing results for 
Search instead for 
Do you mean 

Recommended for You