All Apps and Add-ons

Update existing records to add DNS hostname

schnarked
Engager

Hiya all,

Managed to get DNS lookups working today (slight variation on the instructions was required!), but I got asked if we could get the data added for previous records so people could search on that through the (default) search window)

From what i've read, I understand that once the data is written, its immutable, but that an automatic lookup might help me out?

Grateful if someone could point me in the right direction.

Cheers,

Kieran

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

First, a general suggestion: This is the best place to learn about lookups, because you can do it all from the GUI
Tutorial - Use Field Lookups. You don't have to manually edit props.conf or transforms.conf

Now, unlike the tutorial, you want to use a script rather than a lookup table. So, skip the sections of the tutorial that explain how to upload and share the lookup table. You will start with the lookup definition.

Specific steps:

  • Go to Settings and choose Lookups.
  • Skip the Lookup Table Files. Under Lookup Definitions, note that there is already a lookup named dnslookup. This is the one that you will use. It should already be set with global sharing and read permissions for everyone. You should not need to add anything, just confirm these settings and fix them if needed.
  • Under Automatic Lookups, you will need to create a new automatic lookup
    for each sourcetype where you want the DNS lookup performed. Take a look
    at the tutorial for details. Following are the settings for the fields:

    Destination app: probably Search, but your choice

    Name: choose a unique name for the automatic lookup

    Lookup table: choose dnslookup from the list

    Apply to: Sourcetype and carefully enter the exact name of the sourcetype - no wildcards!

    Lookup input fields: clientip your_ip_field_name

    Lookup output fields: clienthost your_host_field_name

Not that for the input and output fields, there are two boxes. The left box should contain the field names that the script uses. The right box is for the name of the corresponding field in your data. After you have created the automatic lookup, you will probably want to set the permissions for it to global for everyone.

Finally, there are other answers that might also help:
DNS lookup via Splunk is one of the best.

View solution in original post

lguinn2
Legend

First, a general suggestion: This is the best place to learn about lookups, because you can do it all from the GUI
Tutorial - Use Field Lookups. You don't have to manually edit props.conf or transforms.conf

Now, unlike the tutorial, you want to use a script rather than a lookup table. So, skip the sections of the tutorial that explain how to upload and share the lookup table. You will start with the lookup definition.

Specific steps:

  • Go to Settings and choose Lookups.
  • Skip the Lookup Table Files. Under Lookup Definitions, note that there is already a lookup named dnslookup. This is the one that you will use. It should already be set with global sharing and read permissions for everyone. You should not need to add anything, just confirm these settings and fix them if needed.
  • Under Automatic Lookups, you will need to create a new automatic lookup
    for each sourcetype where you want the DNS lookup performed. Take a look
    at the tutorial for details. Following are the settings for the fields:

    Destination app: probably Search, but your choice

    Name: choose a unique name for the automatic lookup

    Lookup table: choose dnslookup from the list

    Apply to: Sourcetype and carefully enter the exact name of the sourcetype - no wildcards!

    Lookup input fields: clientip your_ip_field_name

    Lookup output fields: clienthost your_host_field_name

Not that for the input and output fields, there are two boxes. The left box should contain the field names that the script uses. The right box is for the name of the corresponding field in your data. After you have created the automatic lookup, you will probably want to set the permissions for it to global for everyone.

Finally, there are other answers that might also help:
DNS lookup via Splunk is one of the best.

View solution in original post

lguinn2
Legend

Actually, Splunk isn't adding any info to the record - you can't update existing data. However, Splunk does cache the data it has looked up, therefore you see a good speed increase.

0 Karma

schnarked
Engager

Thanks for this - provides exactly the info that was required. It would be great if the Splunk doco was updated to reflect, this much, much, much simpler way of doing dns lookups!

One thing for other people who might do this - I did notice is that when you're doing searches (i.e. hostname="devicename"), it is slow for the 1st time that the info is added to the record. Once its added, its all fast again, which is as you would expect as its updating historical records, but once its there (which is the case for new info anyways), its all good!

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!