Getting Data In

How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

justin0104
New Member

I'm trying to do a reverse DNS lookup on a field in Splunk called client_ip. I'm running Splunk version 6.2.4. I've added details to my transforms.conf file and my props.conf file, both below.

transforms.conf

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

props.conf

[access_combined]
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname

Do I need to add client_ip to the fields_list and then change the props.conf file also?

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

Here is the breakdown: https://answers.splunk.com/answers/8051/dns-lookup-via-splunk.html

reminder: please search first, before creating a duplicate question.

justin0104
New Member

Mreynov, The link you provided is where I first got the information to edit my props.conf and transforms.conf files with the details I listed above.

Keep in mind that the field i'm trying to do the reverse lookup on is called "client_ip" so does that matter at all? Here is my full search...

sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS clientip OUTPUTNEW host AS hostname

So far this search only shows me the distinct IPs (as it should) but it doesn't resolve those IPs.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

of course the field name mattes.

try
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW host AS hostname

(hopefully hostname is a field that exists for you)

0 Karma

justin0104
New Member

Tried your search and that didn't work.

0 Karma

justin0104
New Member

Also, I don't have a hostname field. The only fields I have in my stats view are distinct view and client_ip.

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

then try this
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(client_ip) as distinctCount values(client_ip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW hostname

0 Karma

woodcock
Esteemed Legend

You do not need to add the stuff in transforms.conf; you can exploit the ones that are already there simply by adding this to your props.conf:

LOOKUP-rdns = dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

If this search works, then the above solution should to:

... | lookup dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

woodcock
Esteemed Legend

Have you tried this search (and answer)?

0 Karma

justin0104
New Member

Below is the only line in my props.conf file and when i do the search it still won't perform the lookup. Also, i get errors now on any search that i do.

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Cisco:ISE:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:AFM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Access' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:DCFW' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:iRule:WebAccess' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5_SPLUNK_iRULE' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'PerformanceMonitor' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_cisco-ise-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk_TA_f5_bigip_main.log-too_small' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinNetMonMk' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinPrintMon' and lookup table 'dnsLookup'.

==============================
props.conf
LOOKUP-rdns = dnsLookup clientip AS host OUTPUTNEW clienthost AS hostname

0 Karma

mreynov_splunk
Splunk Employee
Splunk Employee

if you have this entry in props, Splunk expects a lookup definition in transforms, something like this:

[dnsLookup]
filename = <>.csv

0 Karma