topic Update existing records to add DNS hostname in All Apps and Add-ons

Update existing records to add DNS hostname

schnarked — Tue, 02 Sep 2014 06:14:46 GMT

Hiya all,

Managed to get DNS lookups working today (slight variation on the instructions was required!), but I got asked if we could get the data added for previous records so people could search on that through the (default) search window)

From what i've read, I understand that once the data is written, its immutable, but that an automatic lookup might help me out?

Grateful if someone could point me in the right direction.

Cheers,

Kieran

Re: Update existing records to add DNS hostname

lguinn2 — Mon, 28 Sep 2020 17:27:25 GMT

First, a general suggestion: This is the best place to learn about lookups, because you can do it all from the GUI
Tutorial - Use Field Lookups. You don't have to manually edit props.conf or transforms.conf

Now, unlike the tutorial, you want to use a script rather than a lookup table. So, skip the sections of the tutorial that explain how to upload and share the lookup table. You will start with the lookup definition.

Specific steps:

Go to Settings and choose Lookups.
Skip the Lookup Table Files. Under Lookup Definitions, note that there is already a lookup named dnslookup. This is the one that you will use. It should already be set with global sharing and read permissions for everyone. You should not need to add anything, just confirm these settings and fix them if needed.
Under Automatic Lookups, you will need to create a new automatic lookup
for each sourcetype where you want the DNS lookup performed. Take a look
at the tutorial for details. Following are the settings for the fields:

Destination app: probably Search, but your choice

Name: choose a unique name for the automatic lookup

Lookup table: choose dnslookup from the list

Apply to: Sourcetype and carefully enter the exact name of the sourcetype - no wildcards!

Lookup input fields: clientip your_ip_field_name

Lookup output fields: clienthost your_host_field_name

Not that for the input and output fields, there are two boxes. The left box should contain the field names that the script uses. The right box is for the name of the corresponding field in your data. After you have created the automatic lookup, you will probably want to set the permissions for it to global for everyone.

Finally, there are other answers that might also help:
DNS lookup via Splunk is one of the best.

Re: Update existing records to add DNS hostname

schnarked — Wed, 03 Sep 2014 01:46:35 GMT

Thanks for this - provides exactly the info that was required. It would be great if the Splunk doco was updated to reflect, this much, much, much simpler way of doing dns lookups!

One thing for other people who might do this - I did notice is that when you're doing searches (i.e. hostname="devicename"), it is slow for the 1st time that the info is added to the record. Once its added, its all fast again, which is as you would expect as its updating historical records, but once its there (which is the case for new info anyways), its all good!

Re: Update existing records to add DNS hostname

lguinn2 — Wed, 03 Sep 2014 20:42:50 GMT

Actually, Splunk isn't adding any info to the record - you can't update existing data. However, Splunk does cache the data it has looked up, therefore you see a good speed increase.