Solved: what actually dnslookup doing in my query? and wha...

pavanae · ‎01-19-2018

Generally, In splunk the below is the way to open or display a lookup file

| inputlookup ABCD.csv

but what does the below lookup used in between my query

| inputlookup ABCD.csv | lookup dnslookup field_1 AS Field_one OUTPUT field_2 AS field_two

While trying to understand the above query. The first thing I tried is below to check what's inside the lookup dnslookup

| inputlookup dnslookup

which didn't displayed any results. Could someone explains what actually | lookup dnslookup does in my query and how to check what's inside that lookup?

mayurr98 · ‎01-19-2018

This is a DNS lookup example, the CSV file contains the two fields clienthost and clientip. It is an external_lookup.py file invoked through scripts that is why you can not see using inputlookup command.
Here is doc which says this
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/DefineanexternallookupinSplunkWeb#Extern...

so if you have clientip you can get clienthost or vice-versa using this lookup file.
Also on Web UI it is configured in Settings » Lookups » Lookup definitions » dnslookup

let me know if it helps !

View solution in original post

mayurr98 · ‎01-19-2018

This is a DNS lookup example, the CSV file contains the two fields clienthost and clientip. It is an external_lookup.py file invoked through scripts that is why you can not see using inputlookup command.
Here is doc which says this
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/DefineanexternallookupinSplunkWeb#Extern...

so if you have clientip you can get clienthost or vice-versa using this lookup file.
Also on Web UI it is configured in Settings » Lookups » Lookup definitions » dnslookup

let me know if it helps !

what actually dnslookup doing in my query? and what is it?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms