Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How can I limit the number of DNS requests done by the dnslookup lookup?

davietch
Path Finder
‎10-31-2018 03:10 AM

Hi,

I want to limit the number of IP resolved by the "| lookup dnslookup" command.

Is there a way to do it?

EDIT: this limit should be general for all people using this command as I don't have control on how they use it.

0 Karma
Reply

coccyx
Path Finder
‎10-31-2018 08:56 AM

Lookups will run for every event that's sent to them. In Splunk today, products like Enterprise Security use Data Model Acceleration to do lookups once and then bake the results into the accelerated data model. Unfortunately, it's not available in the regular search interface. You could write your own dnslookup custom search command which maintains state somewhere across invocations and throttles the number of DNS lookups. The downside to this is that you're going to get very inconsistent results with some events getting lookups and others not.

My recommendation would be to do DNS enrichment at ingestion time. Unfortunately, it's not possible in Splunk, but it is something we do in Cribl (https://cribl.io/). These types of lookups can be done once at ingestion and added as an index time field to the event as its moving. This also has the benefit of having DNS resolution done closer to the time of the originating event rather than days or weeks later.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-31-2018 05:47 AM

Can you elaborate a bit on the context of this question? You have some search that returns a bunch of events/statistics and you only want to do a lookup for the top 10 results or so?

Don't think there is anything you can do about that in the lookup command itself. Only thing you can do is come up with some construct to reduce the search results before applying the lookup command.

In pseudo code:

search returning top 10 results
| lookup dnslookup
| append [ search returning the rest of the results ]

The details on how to do this strongly depend on what exactly you want to accomplish.

0 Karma
Reply

davietch
Path Finder
‎10-31-2018 05:49 AM

Hi,

Sorry, it wasn't, indeed, very clear.
My goal is to limit users to perform thousands of DNS request with the searches.
Therefore, I cannot control the base search before the lookup command..
I would like to limit it within the command.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-31-2018 06:01 AM

In that case I guess you're out of luck. At least I can't think of a way to do that. The lookup command will simply apply to all entries you feed into it and the underlying python script has no notion of how often it is called.

So either educate your users, or somehow prevent them from using that lookup in the first place.

If this is about preventing overloading your company's DNS infrastructure, you could also consider setting up a dedicated caching DNS server specifically for splunk.

Reply

davietch
Path Finder
‎10-31-2018 09:05 AM

Is there a way to modify the etc/system/bin/external_lookup.py file so that it throws an error if it is asked to resolve X IPs ? (meaning X rows in Splunk)

0 Karma
Reply

FrankVl
Ultra Champion
‎10-31-2018 09:14 AM

No, because that script is called once per row in the lookup input. That script always only sees 1 input value, not a bundled set of multiple IPs as far as I know.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...