Re: Trouble with OpenDNS lookup Table

Volto · ‎05-23-2017

Hello,

I am trying to use the lookup table created by OpenDNS addon to include data from the OpenDNS cloud.

The structure of the lookup table is;

dest, last_queried, max_malware_sample_threat_score, rr_history.domain, rr_history.status, rr_history.status_label, rr_history.ttl.

My lookup query is; | lookup investigate_ips dest AS src_ip OUTPUT rr_history.status_label but this errors out "Error in 'lookup' command: Could not find all of the specified destination fields in the lookup table."

I know that the addresses passed to the lookup table exist, and I don't get the error when I output rr_history. Has anyone gotten the lookup table to work?

byearwood_splun · ‎02-04-2019

Hi Volto,
- what version of opendns_investigate are you running please?
- is there a corresponding csv file
- also should the command not be |inputlookup, instead of |lookup?

Trouble with OpenDNS lookup Table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation