topic Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field? in Getting Data In

How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

justin0104 — Fri, 30 Oct 2015 15:53:41 GMT

I'm trying to do a reverse DNS lookup on a field in Splunk called client_ip. I'm running Splunk version 6.2.4. I've added details to my transforms.conf file and my props.conf file, both below.

transforms.conf

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

props.conf

[access_combined]
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname

Do I need to add client_ip to the fields_list and then change the props.conf file also?

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

woodcock — Fri, 30 Oct 2015 17:46:33 GMT

You do not need to add the stuff in transforms.conf; you can exploit the ones that are already there simply by adding this to your props.conf:

LOOKUP-rdns = dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

If this search works, then the above solution should to:

... | lookup dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

mreynov_splunk — Fri, 30 Oct 2015 21:47:41 GMT

Here is the breakdown: https://answers.splunk.com/answers/8051/dns-lookup-via-splunk.html

reminder: please search first, before creating a duplicate question.

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

justin0104 — Tue, 29 Sep 2020 07:47:33 GMT

Mreynov, The link you provided is where I first got the information to edit my props.conf and transforms.conf files with the details I listed above.

Keep in mind that the field i'm trying to do the reverse lookup on is called "client_ip" so does that matter at all? Here is my full search...

sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS clientip OUTPUTNEW host AS hostname

So far this search only shows me the distinct IPs (as it should) but it doesn't resolve those IPs.

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

mreynov_splunk — Tue, 29 Sep 2020 07:48:19 GMT

of course the field name mattes.

try
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW host AS hostname

(hopefully hostname is a field that exists for you)

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

justin0104 — Tue, 03 Nov 2015 05:25:03 GMT

Tried your search and that didn't work.

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

justin0104 — Tue, 03 Nov 2015 05:26:39 GMT

Also, I don't have a hostname field. The only fields I have in my stats view are distinct view and client_ip.

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

woodcock — Tue, 03 Nov 2015 14:09:27 GMT

Have you tried this search (and answer)?

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

justin0104 — Tue, 29 Sep 2020 07:45:24 GMT

Below is the only line in my props.conf file and when i do the search it still won't perform the lookup. Also, i get errors now on any search that i do.

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Cisco:ISE:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:AFM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Access' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:DCFW' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:iRule:WebAccess' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5_SPLUNK_iRULE' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'PerformanceMonitor' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_cisco-ise-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinNetMonMk' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinPrintMon' and lookup table 'dnsLookup'.

==============================
props.conf
LOOKUP-rdns = dnsLookup clientip AS host OUTPUTNEW clienthost AS hostname

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

mreynov_splunk — Tue, 29 Sep 2020 07:48:41 GMT

then try this
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW hostname

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

mreynov_splunk — Tue, 03 Nov 2015 23:36:04 GMT

if you have this entry in props, Splunk expects a lookup definition in transforms, something like this:

[dnsLookup]
filename = <>.csv