I am using external_lookup.py in Splunk to resolve the IPs/hostnames and get the respective hostnames/IPs. I could see that the python script is only able to resolve the internal IPs/hostnames but not external IPs/hostnames like www.google.com or so. I am assuming that because of the proxy it's not able to resolve the external IPs/hostnames. If anyone has tried this before, can you please guide me how can I achieve that?
After spending some time on troubleshooting, I found that the name server that is there for my Search heads can only resolve internal IPs/Hostnames. Resolving external IPs/Hostnames is out of scope for the name server.
After spending some time on troubleshooting, I found that the name server that is there for my Search heads can only resolve internal IPs/Hostnames. Resolving external IPs/Hostnames is out of scope for the name server.
Ya I could get an output field clientip for the internal host names but not external host names. Later just found that resolving any external host names is out of scope for the available name server.
If you look at external_lookup.py script, it uses python socket module which interacts with OS name resolution (DNS) server, if DNS server which is configured in OS (On which splunk is running) is blocking any external name resolution then you can't resolve external IP/hostnames with external_lookup.py script and you might need to create your own script which use proxy IP for name resolution on external DNS servers but I am not expert on this so can't help much more here.
