topic Re: Display IP address and hostname from DNS Search arpa data in Splunk Search

Display IP address and hostname from DNS Search arpa data

landen99 — Mon, 17 Mar 2014 12:56:43 GMT

Searches of DNS logs, sourcetype=dns, reveal records with information of the form *.in-addr.arpa
While I can reverse the ip address in that form for each result and do the nslookup for each event separately, such a task is fairly time consuming.
Is there a way to get splunk to show the ip address and domain name for each *.in-addr.arpa in a table? It would look something like this:

sourcetype=dns | table _time domain domain_ip domain_name

which would give something like the following in my table:
2014-03-17 07:54:00 xx.yy.zz.aa.in-addr.arpa aa.zz.yy.xx siteofinterest.com

Re: Display IP address and hostname from DNS Search arpa data

dturner83 — Mon, 17 Mar 2014 20:45:50 GMT

Have you tried this?
https://apps.splunk.com/app/1535/

Works well for us, but sometimes the dns lookups for whatever reason can take quite a while depending on the dataset.

Re: Display IP address and hostname from DNS Search arpa data

landen99 — Tue, 18 Mar 2014 11:29:19 GMT

Update: It seems that we are trying to avoid having Splunk do any processing. We want Splunk to focus on data indexing and retrieval. With that in mind, I am wondering if there is a way to retrieve the results in a format which lends itself to processing in another application or with a batch file. If I can create a batch file with the correct commands and information, and I can execute that file outside of Splunk at my leisure. I am not sure how I could get Splunk to export the information with the appropriate format and commands into a batch file. Is there another way?