All Apps and Add-ons

Reverse DNS within search

Engager

I'm trying to run a search for hits to a particular ACL on a firewall and then resolve the names via reverse DNS. I've tried this 100 ways to Sunday but I'm still not able to figure it out. No matter what I pass to dnslookup, it returns with:

"Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table."

Here's the search:

host=dc1-ra-01.mbsbooks.com destip=108.160.160.0/20 | lookup dnslookup ip AS src_ip OUTPUTNEW host AS hostname

The following already existed in my transform.conf:

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

Can reverse DNS lookups be done at searchtime like this? What am I missing?

Thanks,
-Jeff

Tags (1)

Path Finder

The one thing that I can tell is that you already have a field of "host". But you are trying to reverse lookup also to a field with "host" as your hostname. Splunk will get confused. Try renaming your 'host' field in transforms.conf from

`field_list=host,ip`

to

`field_list=hostname,ip`
0 Karma