Hiya all,
Managed to get DNS lookups working today (slight variation on the instructions was required!), but I got asked if we could get the data added for previous records so people could search on that through the (default) search window)
From what i've read, I understand that once the data is written, its immutable, but that an automatic lookup might help me out?
Grateful if someone could point me in the right direction.
Cheers,
Kieran
First, a general suggestion: This is the best place to learn about lookups, because you can do it all from the GUI
Tutorial - Use Field Lookups. You don't have to manually edit props.conf
or transforms.conf
Now, unlike the tutorial, you want to use a script rather than a lookup table. So, skip the sections of the tutorial that explain how to upload and share the lookup table. You will start with the lookup definition.
Specific steps:
dnslookup
. This is the one that you will use. It
should already be set with global sharing and read permissions for
everyone. You should not need to add anything, just confirm these settings
and fix them if needed. Under Automatic Lookups, you will need to create a new automatic lookup
for each sourcetype where you want the DNS lookup performed. Take a look
at the tutorial for details. Following are the settings for the fields:
Destination app: probably Search, but your choice
Name: choose a unique name for the automatic lookup
Lookup table: choose dnslookup
from the list
Apply to: Sourcetype and carefully enter the exact name of the sourcetype - no wildcards!
Lookup input fields: clientip your_ip_field_name
Lookup output fields: clienthost your_host_field_name
Not that for the input and output fields, there are two boxes. The left box should contain the field names that the script uses. The right box is for the name of the corresponding field in your data. After you have created the automatic lookup, you will probably want to set the permissions for it to global
for everyone.
Finally, there are other answers that might also help:
DNS lookup via Splunk is one of the best.
First, a general suggestion: This is the best place to learn about lookups, because you can do it all from the GUI
Tutorial - Use Field Lookups. You don't have to manually edit props.conf
or transforms.conf
Now, unlike the tutorial, you want to use a script rather than a lookup table. So, skip the sections of the tutorial that explain how to upload and share the lookup table. You will start with the lookup definition.
Specific steps:
dnslookup
. This is the one that you will use. It
should already be set with global sharing and read permissions for
everyone. You should not need to add anything, just confirm these settings
and fix them if needed. Under Automatic Lookups, you will need to create a new automatic lookup
for each sourcetype where you want the DNS lookup performed. Take a look
at the tutorial for details. Following are the settings for the fields:
Destination app: probably Search, but your choice
Name: choose a unique name for the automatic lookup
Lookup table: choose dnslookup
from the list
Apply to: Sourcetype and carefully enter the exact name of the sourcetype - no wildcards!
Lookup input fields: clientip your_ip_field_name
Lookup output fields: clienthost your_host_field_name
Not that for the input and output fields, there are two boxes. The left box should contain the field names that the script uses. The right box is for the name of the corresponding field in your data. After you have created the automatic lookup, you will probably want to set the permissions for it to global
for everyone.
Finally, there are other answers that might also help:
DNS lookup via Splunk is one of the best.
Actually, Splunk isn't adding any info to the record - you can't update existing data. However, Splunk does cache the data it has looked up, therefore you see a good speed increase.
Thanks for this - provides exactly the info that was required. It would be great if the Splunk doco was updated to reflect, this much, much, much simpler way of doing dns lookups!
One thing for other people who might do this - I did notice is that when you're doing searches (i.e. hostname="devicename"), it is slow for the 1st time that the info is added to the record. Once its added, its all fast again, which is as you would expect as its updating historical records, but once its there (which is the case for new info anyways), its all good!