How do I edit my props.conf and transforms.conf to...

justin0104 · ‎10-30-2015

I'm trying to do a reverse DNS lookup on a field in Splunk called client_ip. I'm running Splunk version 6.2.4. I've added details to my transforms.conf file and my props.conf file, both below.

transforms.conf

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

props.conf

[access_combined]
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname

Do I need to add client_ip to the fields_list and then change the props.conf file also?

mreynov_splunk · ‎10-30-2015

Here is the breakdown: https://answers.splunk.com/answers/8051/dns-lookup-via-splunk.html

reminder: please search first, before creating a duplicate question.

justin0104 · ‎11-01-2015

Mreynov, The link you provided is where I first got the information to edit my props.conf and transforms.conf files with the details I listed above.

Keep in mind that the field i'm trying to do the reverse lookup on is called "client_ip" so does that matter at all? Here is my full search...

sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS clientip OUTPUTNEW host AS hostname

So far this search only shows me the distinct IPs (as it should) but it doesn't resolve those IPs.

mreynov_splunk · ‎11-02-2015

of course the field name mattes.

try
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW host AS hostname

(hopefully hostname is a field that exists for you)

justin0104 · ‎11-02-2015

Tried your search and that didn't work.

justin0104 · ‎11-02-2015

Also, I don't have a hostname field. The only fields I have in my stats view are distinct view and client_ip.

mreynov_splunk · ‎11-03-2015

then try this
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW hostname

woodcock · ‎10-30-2015

You do not need to add the stuff in transforms.conf; you can exploit the ones that are already there simply by adding this to your props.conf:

LOOKUP-rdns = dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

If this search works, then the above solution should to:

... | lookup dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

woodcock · ‎11-03-2015

Have you tried this search (and answer)?

justin0104 · ‎11-03-2015

Below is the only line in my props.conf file and when i do the search it still won't perform the lookup. Also, i get errors now on any search that i do.

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Cisco:ISE:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:AFM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Access' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:DCFW' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:iRule:WebAccess' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5_SPLUNK_iRULE' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'PerformanceMonitor' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_cisco-ise-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinNetMonMk' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinPrintMon' and lookup table 'dnsLookup'.

==============================
props.conf
LOOKUP-rdns = dnsLookup clientip AS host OUTPUTNEW clienthost AS hostname

mreynov_splunk · ‎11-03-2015

if you have this entry in props, Splunk expects a lookup definition in transforms, something like this:

[dnsLookup]
filename = <>.csv

How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!