topic Resolve IP to Host in Splunk Search

Resolve IP to Host

lain179 — Wed, 08 May 2013 21:09:07 GMT

I am creating a failed login report from WMI security log entires. My temporary search command looks like:

sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* | stats values(Account_Name) values(Client_Address) values(Client_Port) by _time

Client_Address values are IP addresses, and I would like them to be displayed as the host name. How can I accomplish that?

FYI, I have already read the article on Lookup command to resolve IP to Host.
http://docs.splunk.com/Documentation/Splunk/4.2.2/Knowledge/Addfieldsfromexternaldatasources

And I am having trouble understanding how to set it up and make use of it in my search. Really appreciate any help.

Thanks!

Re: Resolve IP to Host

emechler_splunk — Mon, 28 Sep 2020 13:52:10 GMT

http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsfromexternaldatasources#Example_of_external_fields_lookup

If the docs are unclear or need to be improved, don't hesitate to submit feedback at the bottom of each docs page! In the meantime, maybe this will add some clarity to this process:

You want to add this stanza to $SPLUNK_HOME/etc/system/local/transforms.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

This defines the lookup called "dnsLookup" which we can now tie to a specific sourcetype in $SPLUNK_HOME/etc/system/local/props.conf as such:

[WMI*Security]
LOOKUP-rdns = dnsLookup ip AS Client_Address

Note that this stanza has been renamed from the docs to reference the sourcetype you're interested in performing the lookup on (WMI*Security) and will create a new field called hostname that contains the rdns lookup value.

Restart Splunk and you should be all set.

Re: Resolve IP to Host

lain179 — Mon, 28 Sep 2020 13:52:18 GMT

I did that, and what's next? How do I use that in my search to transform IP to host name? When I do "lookup dnsLoopup Client_Address", it gave me an error saying 'dnsLookup' does not exist.



sourcetype="WMI*Security" Type="Audit Failure" Account_Name=* | stats values(Account_Name) values(Client_Address) values(Client_Port) by _time | lookup dnsLookup Client_Address

Re: Resolve IP to Host

lain179 — Thu, 09 May 2013 17:21:24 GMT

Never, I got it to work with file lookup.

Re: Resolve IP to Host

emechler_splunk — Thu, 09 May 2013 17:29:05 GMT

Edited the original post to remove the "OUTPUTNEW host AS hostname" part of the lookup; that doesn't appear to be necessary anymore. You also don't need to add "| lookup dnsLookup Client_Address" to your search; the entry in props.conf makes the lookup automatic.

Re: Resolve IP to Host

Michael — Mon, 28 Sep 2020 14:52:52 GMT

Does the target need to be an existing extraction?

For example:
LOOKUP-rdns = dnsLookup ip AS Client_Address

Does "Client_Address" have to be an existing field that's extracted (and presumably populated with IP addresses) -- or is this a new field that is created?

(in either case, still not getting this to work...)
/opt/splunk/etc/system/local/transforms.conf
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

/opt/splunk/etc/system/local/props.conf
[access_log-too_small]
LOOKUP-rdns = dnsLookup ip AS Client_Address

Also tried "source_ip" (v.s. Client_Address) because it's an existing extraction that's populated with IP addresses, yes appearing as the sourcetype "access_log-too_small".