Generally, In splunk the below is the way to open or display a lookup file
| inputlookup ABCD.csv
but what does the below lookup used in between my query
| inputlookup ABCD.csv | lookup dnslookup field_1 AS Field_one OUTPUT field_2 AS field_two
While trying to understand the above query. The first thing I tried is below to check what's inside the lookup dnslookup
| inputlookup dnslookup
which didn't displayed any results. Could someone explains what actually | lookup dnslookup does in my query and how to check what's inside that lookup?
This is a DNS lookup example, the CSV file contains the two fields clienthost
and clientip
. It is an external_lookup.py
file invoked through scripts that is why you can not see using inputlookup
command.
Here is doc which says this
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/DefineanexternallookupinSplunkWeb#Extern...
so if you have clientip
you can get clienthost
or vice-versa
using this lookup file.
Also on Web UI it is configured in Settings » Lookups » Lookup definitions » dnslookup
let me know if it helps !
This is a DNS lookup example, the CSV file contains the two fields clienthost
and clientip
. It is an external_lookup.py
file invoked through scripts that is why you can not see using inputlookup
command.
Here is doc which says this
http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/DefineanexternallookupinSplunkWeb#Extern...
so if you have clientip
you can get clienthost
or vice-versa
using this lookup file.
Also on Web UI it is configured in Settings » Lookups » Lookup definitions » dnslookup
let me know if it helps !