Splunk Search

How to get an automatic lookup to run after dnslookup to first translate the name from the IP of devices on my network?

GRMcCauley
Explorer

Hi all,

I'm VERY new to Splunk and I'm trying to learn. I have a RPi running dnsmasq on my home network and have it sending it's DHCP and DNS queries to Splunk. I've already done some field extractions and it's coming along very nicely. It's pretty cool. 🙂

My problem is that I have a LOT of android devices on my network and they all show up with a name of android-XXXXXXXXXXXX. I created a lookup table with the android names and which devices they are. I created an Automatic Lookup for both the DHCP and DNS sourcetypes. For DHCP, it's working great. For my DNS data, I'm also using dnslookup to translate the name from the ip of the device that issued the query. Here Automatic lookups are not working.

If I add the lookup command it's fine.

sourcetype=dnsmasq:dns
| lookup dnslookup clientip as client_ip OUTPUT clienthost as client_fqdn
| eval client_name=replace(client_fqdn, ".mydomain.net", "")
| search client_name=android*
| lookup device_lookup client_name
| table _time, query_type, query, client_name, device_owner, device_model

But without it, it does not show anything for device_owner or device_model.

sourcetype=dnsmasq:dns
| lookup dnslookup clientip as client_ip OUTPUT clienthost as client_fqdn
| eval client_name=replace(client_fqdn, ".mydomain.net", "")
| search client_name=android*
| table _time, query_type, query, client_name, device_owner, device_model

My assumption is that the automatic lookup is trying to happen before the dnslookup. I've even made my lookup table accept wildcards so that I don't need the eval command to strip the domain name, but that still didn't work.

Any help would be appreciated!

0 Karma
1 Solution

lguinn2
Legend

An automatic lookup always occurs as part of the base search - before the first pipe. So your assumption is correct and there is nothing you can do about that, except explicitly run the lookup as you did in the first example.

View solution in original post

lguinn2
Legend

An automatic lookup always occurs as part of the base search - before the first pipe. So your assumption is correct and there is nothing you can do about that, except explicitly run the lookup as you did in the first example.

GRMcCauley
Explorer

Thank you! I was able to get around it by creating an automatic lookup using dnslookup, but the results were a little sporadic (some events for the same IP would have the device_owner and device_model fields and others wouldn't). I think I'm going to create another lookup table that gets updated via script triggered by DHCPACK events to keep a lookup table of internal IPs to hostnames.

0 Karma

GRMcCauley
Explorer

For anyone interested, I wound up creating a scheduled search on my DHCPACK events that triggers a PowerShell script that updates a csv file. that csv file was used for another lookup to add a name field based on IP. I then used that to create another automatic lookup (be careful of naming as automatic lookups happen in order of name alphabetically) that ran before the automatic lookup that adds fields for device info based on name.

All in all, I like this solution better as I'm not constantly looking up the same IPs via nslookup.

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...