Re: Reverse DNS within search

jbilbro · ‎11-12-2013

I'm trying to run a search for hits to a particular ACL on a firewall and then resolve the names via reverse DNS. I've tried this 100 ways to Sunday but I'm still not able to figure it out. No matter what I pass to dnslookup, it returns with:

"Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table."

Here's the search:

host=dc1-ra-01.mbsbooks.com destip=108.160.160.0/20 | lookup dnslookup ip AS src_ip OUTPUTNEW host AS hostname

The following already existed in my transform.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

Can reverse DNS lookups be done at searchtime like this? What am I missing?

Thanks,
-Jeff

pryzrak · ‎11-12-2013

The one thing that I can tell is that you already have a field of "host". But you are trying to reverse lookup also to a field with "host" as your hostname. Splunk will get confused. Try renaming your 'host' field in transforms.conf from

`field_list=host,ip`

to

`field_list=hostname,ip`

Reverse DNS within search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Reverse DNS within search

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey