All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reverse DNS Lookup not working

shocko
Contributor
‎01-12-2017 05:43 AM

Guys, the following query will return the hostname and resolved IP address form a windows event:

index = myindex="WinEventLog:Directory Service" EventCode=2889| lookup dnslookup clienthost as host | table host,clientip

However, a reverse lookup on a calculated IP address from the same event never resolves the IP address to a hostname i.e. clienthost is not populated

index = myindex source="WinEventLog:Directory Service" EventCode=2889 | rex field=_raw "(?s)IP address:(?.?):.:(?.)" | lookup dnslookup clientip As cip OUTPUT clienthost | table cip,clienthost*

DNS on the underlying windows server is fine. My transforms.conf file stanza is as follows:

[dnslookup]
external_cmd = external_lookup.py clienthost clientip
fields_list = clienthost,clientip

Please help! driving me nuts.

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎01-16-2017 10:57 AM

Hi shocko,

Seems your rex syntax is not correct.
When you use the rex command, you must specify a new field name (in brackets) to which to assign the regex-captured group.
For example, extract "from" and "to" fields using regular expressions. If a raw event contains "From: Susan To: Bob", then from=Susan and to=Bob. 

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

For more information, please refer to documentation:
http://docs.splunk.com/Documentation/Splunk/6.5.1/SearchReference/Rex

Hope this helps. Thanks!
Hunter

0 Karma
Reply

shocko
Contributor
‎01-17-2017 06:52 AM

Apologies, I have edited my original post! the cip rex was working. The issues was the actual rex I was performing needed to account for line breaks. this works for me:

index = corp-dc source="WinEventLog:Directory Service" EventCode=2889 | rex field=_raw "(?s)IP address:\D*(?.?):.:(?.)" | lookup dnslookup clientip As cip OUTPUT clienthost | table cip,clienthost*

thanks to my vendor engineer Keith for pointing this one out! 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...