I'm trying to run a search for hits to a particular ACL on a firewall and then resolve the names via reverse DNS. I've tried this 100 ways to Sunday but I'm still not able to figure it out. No matter what I pass to dnslookup, it returns with:
"Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table."
Here's the search:
host=dc1-ra-01.mbsbooks.com destip=18.104.22.168/20 | lookup dnslookup ip AS src_ip OUTPUTNEW host AS hostname
The following already existed in my transform.conf:
external_cmd = external_lookup.py host ip
fields_list = host, ip
Can reverse DNS lookups be done at searchtime like this? What am I missing?
The one thing that I can tell is that you already have a field of "host". But you are trying to reverse lookup also to a field with "host" as your hostname. Splunk will get confused. Try renaming your 'host' field in transforms.conf from