I am using external_lookup.py in Splunk to resolve the IPs/hostnames and get the respective hostnames/IPs. I could see that the python script is only able to resolve the internal IPs/hostnames but not external IPs/hostnames like
www.google.com or so. I am assuming that because of the proxy it's not able to resolve the external IPs/hostnames. If anyone has tried this before, can you please guide me how can I achieve that?
If you look at externallookup.py script, it uses python
socket module which interacts with OS name resolution (DNS) server, if DNS server which is configured in OS (On which splunk is running) is blocking any external name resolution then you can't resolve external IP/hostnames with externallookup.py script and you might need to create your own script which use proxy IP for name resolution on external DNS servers but I am not expert on this so can't help much more here.
Are you using it like this?
| makeresults | eval clienthost = "google.com" | lookup dnslookup clienthost
This should generate an output field called
Hi @woodcock ,
Ya I could get an output field
clientip for the internal host names but not external host names. Later just found that resolving any external host names is out of scope for the available name server.
After spending some time on troubleshooting, I found that the name server that is there for my Search heads can only resolve internal IPs/Hostnames. Resolving external IPs/Hostnames is out of scope for the name server.