I'm trying to do a reverse DNS lookup on a field in Splunk called client_ip. I'm running Splunk version 6.2.4. I've added details to my transforms.conf file and my props.conf file, both below.
transforms.conf
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip
props.conf
[access_combined]
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname
Do I need to add client_ip to the fields_list and then change the props.conf file also?
Here is the breakdown: https://answers.splunk.com/answers/8051/dns-lookup-via-splunk.html
reminder: please search first, before creating a duplicate question.
Mreynov, The link you provided is where I first got the information to edit my props.conf and transforms.conf files with the details I listed above.
Keep in mind that the field i'm trying to do the reverse lookup on is called "client_ip" so does that matter at all? Here is my full search...
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS clientip OUTPUTNEW host AS hostname
So far this search only shows me the distinct IPs (as it should) but it doesn't resolve those IPs.
of course the field name mattes.
try
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW host AS hostname
(hopefully hostname is a field that exists for you)
Tried your search and that didn't work.
Also, I don't have a hostname field. The only fields I have in my stats view are distinct view and client_ip.
then try this
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW hostname
You do not need to add the stuff in transforms.conf
; you can exploit the ones that are already there simply by adding this to your props.conf
:
LOOKUP-rdns = dnslookup clientip AS host OUTPUTNEW clienthost AS hostname
If this search works, then the above solution should to:
... | lookup dnslookup clientip AS host OUTPUTNEW clienthost AS hostname
Have you tried this search (and answer)?
Below is the only line in my props.conf file and when i do the search it still won't perform the lookup. Also, i get errors now on any search that i do.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Cisco:ISE:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:AFM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Access' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:DCFW' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:iRule:WebAccess' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5_SPLUNK_iRULE' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'PerformanceMonitor' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_cisco-ise-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinNetMonMk' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinPrintMon' and lookup table 'dnsLookup'.
==============================
props.conf
LOOKUP-rdns = dnsLookup clientip AS host OUTPUTNEW clienthost AS hostname
if you have this entry in props, Splunk expects a lookup definition in transforms, something like this:
[dnsLookup]
filename = <>.csv