07-29-2016 01:38 PM
For some of the "top 10" reports I would like to exclude the Infoblox grid members. Because of our configuration reports like Top DNS Clients, will be dominated by grid members forwardarding queries to other grid members. There are times I want to see that but most of the time, that is just noise.
Most of the time, the data only has the IP of the client(grid member) so the nios_member_ip_lookup isn't any help as it takes the wrong info, it takes the name and gives the IP. I need the other way around.
This code is what I came up with and it works but is slow. Its fine when there are a few clients to verify but doing a reverse DNS lookup on thousands of IP's is not a good option. Is there a better way of doing this?
| lookup dnslookup clientip as CLIENT OUTPUT clienthost as CLIENT_NAME | fillnull value="" CLIENT_NAME | lookup nios_member_ip_lookup host as CLIENT_NAME OUTPUT MEMBER_IP as memberip |where isnull(memberip)
08-01-2016 07:20 AM - edited 08-01-2016 07:24 AM
You can easily add some regex to your search string to exclude results and create a new report/dashboard from there. Remember that if you want to modify existing dashboards/reports it's better to clone them and edit those.
Add this to the Top DNS Clients search string to exclude some sources (In this example there are 3 infoblox name-server with ip address 192.168.1.1, 192.168.1.2 and 192.168.1.3 | regex Client!="192.168.1.(1|2|3)"
index=ib_dns_summary report=si_dns_top_clients | lookup dns_viewkey_displayname_lookup VIEW output display_name | stats sum(COUNT) as CLIENT_QUERIES by CLIENT | sort -CLIENT_QUERIES | head 10 | eventstats sum(CLIENT_QUERIES) as TOTAL | eval PERCENT=round(CLIENT_QUERIES*100/TOTAL,1) | eval PCLIENT=CLIENT+" ("+PERCENT+"%)" | rename PCLIENT as Client, CLIENT_QUERIES as Queries | fields Client, Queries | regex Client!="192.168.1.(1|2|3) "
Professional Services Engineer EMEA
08-01-2016 07:29 AM
I have over 100 grid members, with adds and removes to the grid on a monthly basis, so a hard coded regex in each search is not really a scalable solution. I need something that is as fast as a regex or lookup table but is automatically kept in sync with the current grid members.
08-01-2016 10:51 AM
I had it in my head that lookup tables had a defined input and output fields. They don’t, so the NIOS_members_ip.csv can take either field as an input and give you the other field as an output. This means the above code is not needed. Just a single lookup and null check is all that is needed.
It’s now on my list to make this into a radio button input field so the grid members can be shown or hidden as a dashboard selection. It’s down on my list a ways though. I’ll update if I ever get to it.