Ok I ended up answering my own question. Getting dnslookup to resolve with an outside name server such as 8.8.8.8, requires the DNSpython mod to be installed. However it needs to be be installed under the Splunk python lib. The dnspython mod can be obtained from: www.dnspython.org. You don't have to use the setup.py. But if you use it (like I did) then just follow the instructions below:
If you used the setup.py then copy the contents of the folder below:
/usr/local/lib/python2.7/dist-packages/dns
Or just copy the dns/ folder from the zip/tar.gz
and placed it in:
/opt/splunk/lib/python2.7/site-packages/dns
Then create a new python script called ezlookup.py based off of external_lookup.py under the following folder:
/opt/splunk/etc/system/bin
ezlookup.py is below:
#!/usr/bin/env python
import csv
import sys
import commands
import socket
import dns.resolver
import string
""" Edited from external_lookup.py by Pryzrak.
Allows DNS queries from external nameserver of your choice.
"""
def rlookup(ipaddy):
ipaddy = str(ipaddy)
try:
my_resolver = dns.resolver.Resolver()
my_resolver.nameservers = ['8.8.8.8'] #seperate nameservers by ',' example: '8.8.8.8','8.8.8.6','etc'
ipaddy = ipaddy.split('.')
ipaddy.reverse()
ipaddy = string.join(ipaddy, '.')
ipaddy = ipaddy + '.in-addr.arpa'
hostname = str(my_resolver.query(ipaddy,"PTR")[0])
return hostname
except:
return ''
# Given a host, find the ip
def lookup(host):
try:
#hostname, aliaslist, ipaddrlist = socket.gethostbyname_ex(host)
my_resolver = dns.resolver.Resolver()
my_resolver.nameservers = ['8.8.8.8'] #seperate nameservers by ',' example: '8.8.8.8','8.8.8.6','etc'
rdata = ''
rawanswer = my_resolver.query(host, 'a')
for rdata in rawanswer:
ipaddrlist = rdata.address
return ipaddrlist
except:
return []
def main():
if len(sys.argv) != 3:
print "Usage: python ezlookup.py [host field] [ip field]"
sys.exit(1)
hostfield = sys.argv[1]
ipfield = sys.argv[2]
infile = sys.stdin
outfile = sys.stdout
r = csv.DictReader(infile)
header = r.fieldnames
w = csv.DictWriter(outfile, fieldnames=r.fieldnames)
w.writeheader()
for result in r:
# Perform the lookup or reverse lookup if necessary
if result[hostfield] and result[ipfield]:
# both fields were provided, just pass it along
w.writerow(result)
elif result[hostfield]:
# only host was provided, add ip
ip = lookup(result[hostfield])
result[ipfield] = ip
w.writerow(result)
elif result[ipfield]:
# only ip was provided, add host
result[hostfield] = rlookup(result[ipfield])
if result[hostfield]:
w.writerow(result)
main()
Then edit the following .conf to make a the new ezlookup command:
/opt/splunk/etc/syystem/default/transforms.conf
Add the following to transforms.conf:
# EZ external lookup
[ezlookup]
external_cmd = ezlookup.py clienthost clientip
fields_list = clienthost clientip
And finished. NO Splunk restart or system reboot is required.
DNS resolves with the open google nameserver 8.8.8.8 or your preferred nameserver.
If anyone has any questions, please shoot me a message. v/r, Pryzrak.
... View more