Splunk Enterprise

DNS lookup not returning returning results as expected

cburgman
Path Finder

I am running a basic search and wanting to perform a reverse DNS lookup.

index=*proxy src_ip="10.x.x.x" | lookup dnslookup clientip as src_ip OUTPUT clienthost as Hostname
| table Hostname

The search is not returning any fields named Hostname. What am I missing? Is there a way to validate the external lookup python script is working?

Transforms.conf
[dnslookup]
external_cmd = external_lookup.py clienthost clientip
fields_list = clienthost,clientip

Splunk 6.6.2

0 Karma

woodcock
Esteemed Legend

Try this:

| makeresults | eval host="70.90.168.114" | lookup dnslookup clientip AS host

This should give you mail.ubcomputer.com.

0 Karma

cburgman
Path Finder

This works for external dns lookups. Is there a way to configure to work for internal resolution?

0 Karma

woodcock
Esteemed Legend

make sure that the host OS for your Search Head is using your internal DNS Server.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...