topic Re: DNS Resolution in a search in Splunk Search

DNS Resolution in a search

balcv — Tue, 08 Oct 2013 21:59:12 GMT

Is it possible to have ip addresses in a search resolved to a host name and displayed in the results rather then the ip address. My search is:

source="udp:514" "dst=192.168." | stats count by dst | sort -count limit=10

This gives me the top ten hit ip addresses. I would like to see the host name rather than (or as well as) the ip address. Can this be done as part of the search string?

Re: DNS Resolution in a search

jtrucks — Tue, 08 Oct 2013 22:02:21 GMT

Read the following:

http://answers.splunk.com/answers/8051/dns-lookup-via-splunk

and

http://answers.splunk.com/answers/103154/dns-lookup-for-ip-address-in-log-meesage

Those should do it for you!

Re: DNS Resolution in a search

lukejadamec — Tue, 08 Oct 2013 22:03:54 GMT

Yes. But you will need a lookup table that matches the IP address to the host name.

Depending on the apps you have installed, you may find that this lookup table already exists. If it does already exist you will find it in the lookup folder, and it will automatically populate a field in which case you simply need to add the field to your stats. The name of the field escapes me.

Re: DNS Resolution in a search

jtrucks — Tue, 08 Oct 2013 22:43:38 GMT

Actually, the answers entries I linked to are for using an external command that performs the lookup on the fly and responds with the results.

Re: DNS Resolution in a search

lukejadamec — Tue, 08 Oct 2013 23:09:53 GMT

You answered at the same time I did. Besides, if they are already there...

Re: DNS Resolution in a search

balcv — Tue, 08 Oct 2013 23:13:45 GMT

The transforms.conf files did the trick and with a little manipulation of the search I have the results I wanted.

Thanks.

Re: DNS Resolution in a search

pryzrak — Fri, 15 Nov 2013 23:12:47 GMT

There is no need to create a lookup table as long as the nameserver holds those records. Just use the following after your example search:

<search> | lookup dnslookup clientip as dst OUTPUT clienthost as DST_RESOLVED

Re: DNS Resolution in a search

johnsond — Wed, 11 May 2016 00:20:18 GMT

perfect, thanks for this solution - works perfectly

Re: DNS Resolution in a search

woodcock — Mon, 16 Jan 2017 16:29:32 GMT

You should click "Accept" to close the question.

Re: DNS Resolution in a search

johnsond — Mon, 16 Jan 2017 19:48:11 GMT

this query has worked for me "lookup dnslookup clientip as lsp_rro OUTPUT clienthost as hops" when trying to make a human readable LSP path. We use /etc/hosts for the IP to hostname lookup, you can also use a DNS server to fill this requirement such as BIND9, MS Server or dnsmasq to name a few.

Re: DNS Resolution in a search

tibbian — Tue, 14 Mar 2017 17:00:52 GMT

If performance is an issue with dnslookup, which can happen when you have many distinct ips being returned by your search, you may want to populate your own lookup and refresh it nightly when there is less demand for resources. Here's a search I run nightly against a week of Windows security event log data to get the ips of machines that have been logged into, but you could substitute your own search for a list of ips to look up:

sourcetype=wineventlog:security EventCode=4768 NOT src_ip="::1"
| eval ip=replace(src_ip,"[f:]","") 
| dedup ip 
| lookup dnslookup clientip as ip OUTPUTNEW clienthost as hostname 
| table ip, hostname
| outputlookup ip2host.csv