Hi,
I want to limit the number of IP resolved by the "| lookup dnslookup" command.
Is there a way to do it?
EDIT: this limit should be general for all people using this command as I don't have control on how they use it.
Lookups will run for every event that's sent to them. In Splunk today, products like Enterprise Security use Data Model Acceleration to do lookups once and then bake the results into the accelerated data model. Unfortunately, it's not available in the regular search interface. You could write your own dnslookup custom search command which maintains state somewhere across invocations and throttles the number of DNS lookups. The downside to this is that you're going to get very inconsistent results with some events getting lookups and others not.
My recommendation would be to do DNS enrichment at ingestion time. Unfortunately, it's not possible in Splunk, but it is something we do in Cribl (https://cribl.io/). These types of lookups can be done once at ingestion and added as an index time field to the event as its moving. This also has the benefit of having DNS resolution done closer to the time of the originating event rather than days or weeks later.
Can you elaborate a bit on the context of this question? You have some search that returns a bunch of events/statistics and you only want to do a lookup for the top 10 results or so?
Don't think there is anything you can do about that in the lookup command itself. Only thing you can do is come up with some construct to reduce the search results before applying the lookup command.
In pseudo code:
search returning top 10 results
| lookup dnslookup
| append [ search returning the rest of the results ]
The details on how to do this strongly depend on what exactly you want to accomplish.
Hi,
Sorry, it wasn't, indeed, very clear.
My goal is to limit users to perform thousands of DNS request with the searches.
Therefore, I cannot control the base search before the lookup command..
I would like to limit it within the command.
In that case I guess you're out of luck. At least I can't think of a way to do that. The lookup command will simply apply to all entries you feed into it and the underlying python script has no notion of how often it is called.
So either educate your users, or somehow prevent them from using that lookup in the first place.
If this is about preventing overloading your company's DNS infrastructure, you could also consider setting up a dedicated caching DNS server specifically for splunk.
Is there a way to modify the etc/system/bin/external_lookup.py file so that it throws an error if it is asked to resolve X IPs ? (meaning X rows in Splunk)
No, because that script is called once per row in the lookup input. That script always only sees 1 input value, not a bundled set of multiple IPs as far as I know.