- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Lookup not working with a different index
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
I have written a dnslookup2 as follows, it simply just takes the ip to return the host:
external_lookup.py host2 ip
I am running this successfully on one of my searches as follows, it correctly calculates the host and returns it in the field host2
index="tmpprodweblogic" source="*access.log" | rex field=_raw "(?<ip>[0-9]+.[0-9]+.[0-9]+.[0-9]+).* \/(?<Application>[^/]*\/[^/? ]*).*" | lookup dnslookup2 ip
The dnslookup2 is defined inside a transforms.conf for this application and has permissions for all apps (I have checked it in the manager).
However, I just tried to run it through a second index that is also generated by through an inputs.conf in the same app, with this search:
index="tmpprodiislogs" *sysfaoloncbwsvc* | rex field=_raw "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | search host="slon19p10353" | lookup dnslookup2 ip
This search does not generate an error so it must be finding dnslookup2, but it does not return a field called host2.
Am i doing something wrong? Is there a reason why it would work for one index and not the other? Is there any way to get more information out of splunk about where it is failing?
Thanks! Hazel
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.
I have now fixed this by using my regex from my first query in my colleagues query as following
index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2
I have also kept the more efficient statement switch - thanks ziegfied!
This works and returns the value from dnslookup2 in host2 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.
I have now fixed this by using my regex from my first query in my colleagues query as following
index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2
I have also kept the more efficient statement switch - thanks ziegfied!
This works and returns the value from dnslookup2 in host2 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does the following search give you a list of the IPs?
index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | table ip
(I've changed the order, because reducting the host before the rex/dedup command is more efficient)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This does bring back the ips, but I am trying to get the dnslookup to work. If I add lookup dnslookup2 ip, it just brings back an empty host2. Why would this not work on this search but on the other?
Detecting Remote Code Executions With the Splunk Threat Research Team
Observability | Use Synthetic Monitoring for Website Metadata Verification
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
