Generally, In splunk the below is the way to open or display a lookup file
| inputlookup ABCD.csv
but what does the below lookup used in between my query
| inputlookup ABCD.csv | lookup dnslookup field_1 AS Field_one OUTPUT field_2 AS field_two
While trying to understand the above query. The first thing I tried is below to check what's inside the lookup dnslookup
| inputlookup dnslookup
which didn't displayed any results. Could someone explains what actually | lookup dnslookup does in my query and how to check what's inside that lookup?
This is a DNS lookup example, the CSV file contains the two fields clienthost and clientip. It is an external_lookup.py file invoked through scripts that is why you can not see using inputlookup command.
Here is doc which says this
so if you have clientip you can get clienthost or vice-versa using this lookup file.
Also on Web UI it is configured in Settings » Lookups » Lookup definitions » dnslookup
Settings » Lookups » Lookup definitions » dnslookup
let me know if it helps !
View solution in original post