So I have a search that gives me IP addresses of internal servers. Would like to modify it so that it gives me the IP and DNS name of the servers.
Looking through other Answers, I have created a transforms.conf in Splunk\etc\system\local
with the below.
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip
But when I search with:
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup ip as dst
I get this error:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table
I know I am missing something, but not sure what.
Thanks
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list |dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname
That was the ultimate solution
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list |dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname
That was the ultimate solution
In the latest versions of splunk this is now built-in and enabled by default so there is no need to add/configure anything. If you are only interested in getting it working and you are on an older version of Splunk, you can download this app:
https://splunkbase.splunk.com/app/1535/
I am running 6.3.1 currently.
Before adding that to the Transform, still did not get any ip to dns resolution. Since I was looking at an old answer, is the search format different as well?
The built-in one uses clientip
and clienthost
so you should use this, assuming you have a field called dst
:
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup clientip AS dst
The example I was looking at used dst, figured it was a Splunk field of note. looking, guess it is not.
So if I do not have a field of that name, and wanted to use Hostname instead, how would I go about adding it for manual dynamic searches like this?
Like this:
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup clientip AS YourFIeldnameHereForDottedQuadIP
So if your field Hostname
contains DottedQuads, then this:
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup clientip AS Hostname
Hrm, so then if this was to work, I would have a new field name created, due to the AS statement, when I look at my fields list in my search, correct?
If that is the case, then I must have something wrong, as there is no new field, regardless of the name I use.
Figured it out, something was missing.
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list |dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname
That worked and gave me the hostname field.
Document for this new lookup was missing that, found it on a google search, in someone's blog.