https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125062#M25786 <P>I previously asked for some help on setting up dns resolution when performing searches and I got some great info and was able to get it all working. BUT, after a recent change in my Splunk install (the version I was using expired), the dns resolution will not work.</P> <P>I have the required lines on my transforms.conf:<BR /> <STRONG>[dnsLookup]<BR /> external_cmd = external_lookup.py host ip<BR /> fields_list = host, ip</STRONG></P> <P>Then in my search I have (where dst is the ip address I want resolved):<BR /> <STRONG>source="udp:64514" SSH_Connects | lookup dnsLookup dst</STRONG></P> <P>Rather than get the data I require with the dst resolved I get this error:<BR /> <STRONG>Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.</STRONG> </P> <P>Can anyone enlighten me on what I'm doing wrong.</P> Mon, 28 Sep 2020 15:10:06 GMT balcv 2020-09-28T15:10:06Z https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125062#M25786 <P>I previously asked for some help on setting up dns resolution when performing searches and I got some great info and was able to get it all working. BUT, after a recent change in my Splunk install (the version I was using expired), the dns resolution will not work.</P> <P>I have the required lines on my transforms.conf:<BR /> <STRONG>[dnsLookup]<BR /> external_cmd = external_lookup.py host ip<BR /> fields_list = host, ip</STRONG></P> <P>Then in my search I have (where dst is the ip address I want resolved):<BR /> <STRONG>source="udp:64514" SSH_Connects | lookup dnsLookup dst</STRONG></P> <P>Rather than get the data I require with the dst resolved I get this error:<BR /> <STRONG>Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table.</STRONG> </P> <P>Can anyone enlighten me on what I'm doing wrong.</P> Mon, 28 Sep 2020 15:10:06 GMT https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125062#M25786 balcv 2020-09-28T15:10:06Z https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125063#M25787 <P>My guess is that your script is not outputting the fields that are expected. Don't you need to do <CODE>lookup dnsLookup ip as dst</CODE> to get the ip address passed in with the right name? </P> Fri, 01 Nov 2013 02:14:33 GMT https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125063#M25787 usethedata 2013-11-01T02:14:33Z https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125064#M25788 <P>Thank you. That was what I needed. Search that now works is and gives resolved name, ip and count:<BR /> source="udp:64514" SSH_Connects | stats count by dst | lookup dnsLookup ip as dst | sort -count | table host dst count</P> Fri, 01 Nov 2013 03:03:52 GMT https://community.splunk.com/t5/Getting-Data-In/DNS-Resolution-Revisited/m-p/125064#M25788 balcv 2013-11-01T03:03:52Z