All Apps and Add-ons

Reverse DNS within search


I'm trying to run a search for hits to a particular ACL on a firewall and then resolve the names via reverse DNS. I've tried this 100 ways to Sunday but I'm still not able to figure it out. No matter what I pass to dnslookup, it returns with:

"Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table."

Here's the search: destip= | lookup dnslookup ip AS src_ip OUTPUTNEW host AS hostname

The following already existed in my transform.conf:

external_cmd = host ip
fields_list = host, ip

Can reverse DNS lookups be done at searchtime like this? What am I missing?


Tags (1)

Path Finder

The one thing that I can tell is that you already have a field of "host". But you are trying to reverse lookup also to a field with "host" as your hostname. Splunk will get confused. Try renaming your 'host' field in transforms.conf from



0 Karma