I am creating a failed login report from WMI security log entires. My temporary search command looks like:
sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* | stats values(Account_Name) values(Client_Address) values(Client_Port) by _time
Client_Address values are IP addresses, and I would like them to be displayed as the host name. How can I accomplish that?
FYI, I have already read the article on Lookup command to resolve IP to Host. http://docs.splunk.com/Documentation/Splunk/4.2.2/Knowledge/Addfieldsfromexternaldatasources
And I am having trouble understanding how to set it up and make use of it in my search. Really appreciate any help.
Thanks!