- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup not working with a different index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have written a dnslookup2 as follows, it simply just takes the ip to return the host:
external_lookup.py host2 ip
I am running this successfully on one of my searches as follows, it correctly calculates the host and returns it in the field host2
index="tmpprodweblogic" source="*access.log" | rex field=_raw "(?<ip>[0-9]+.[0-9]+.[0-9]+.[0-9]+).* \/(?<Application>[^/]*\/[^/? ]*).*" | lookup dnslookup2 ip
The dnslookup2 is defined inside a transforms.conf for this application and has permissions for all apps (I have checked it in the manager).
However, I just tried to run it through a second index that is also generated by through an inputs.conf in the same app, with this search:
index="tmpprodiislogs" *sysfaoloncbwsvc* | rex field=_raw "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | search host="slon19p10353" | lookup dnslookup2 ip
This search does not generate an error so it must be finding dnslookup2, but it does not return a field called host2.
Am i doing something wrong? Is there a reason why it would work for one index and not the other? Is there any way to get more information out of splunk about where it is failing?
Thanks! Hazel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.
I have now fixed this by using my regex from my first query in my colleagues query as following
index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2
I have also kept the more efficient statement switch - thanks ziegfied!
This works and returns the value from dnslookup2 in host2 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.
I have now fixed this by using my regex from my first query in my colleagues query as following
index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2
I have also kept the more efficient statement switch - thanks ziegfied!
This works and returns the value from dnslookup2 in host2 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the following search give you a list of the IPs?
index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | table ip
(I've changed the order, because reducting the host before the rex/dedup command is more efficient)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does bring back the ips, but I am trying to get the dnslookup to work. If I add lookup dnslookup2 ip, it just brings back an empty host2. Why would this not work on this search but on the other?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
