Getting Data In
Highlighted

How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

New Member

I'm trying to do a reverse DNS lookup on a field in Splunk called client_ip. I'm running Splunk version 6.2.4. I've added details to my transforms.conf file and my props.conf file, both below.

transforms.conf

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

props.conf

[access_combined]
LOOKUP-rdns = dnsLookup ip AS clientip OUTPUTNEW host AS hostname

Do I need to add client_ip to the fields_list and then change the props.conf file also?

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

Esteemed Legend

You do not need to add the stuff in transforms.conf; you can exploit the ones that are already there simply by adding this to your props.conf:

LOOKUP-rdns = dnslookup clientip AS host OUTPUTNEW clienthost AS hostname

If this search works, then the above solution should to:

... | lookup dnslookup clientip AS host OUTPUTNEW clienthost AS hostname
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

Esteemed Legend

Have you tried this search (and answer)?

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

New Member

Below is the only line in my props.conf file and when i do the search it still won't perform the lookup. Also, i get errors now on any search that i do.

Error 'Could not find all of the specified lookup fields in the lookup table.' for conf '(?i)source::....zip(.\d+)?' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'ActiveDirectory' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Cisco:ISE:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:AFM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Access' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:DCFW' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:LTM:Syslog' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5:iRule:WebAccess' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'F5SPLUNKiRULE' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'PerformanceMonitor' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'SplunkTAcisco-ise-toosmall' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk
TAf5bigipmain.log' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'Splunk
TAf5bigipmain.log-toosmall' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinNetMonMk' and lookup table 'dnsLookup'.
Error 'Could not find all of the specified lookup fields in the lookup table.' for conf 'WinPrintMon' and lookup table 'dnsLookup'.

==============================
props.conf
LOOKUP-rdns = dnsLookup clientip AS host OUTPUTNEW clienthost AS hostname

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

Splunk Employee
Splunk Employee

if you have this entry in props, Splunk expects a lookup definition in transforms, something like this:

[dnsLookup]
filename = <>.csv

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

Splunk Employee
Splunk Employee

Here is the breakdown: https://answers.splunk.com/answers/8051/dns-lookup-via-splunk.html

reminder: please search first, before creating a duplicate question.

Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

New Member

Mreynov, The link you provided is where I first got the information to edit my props.conf and transforms.conf files with the details I listed above.

Keep in mind that the field i'm trying to do the reverse lookup on is called "client_ip" so does that matter at all? Here is my full search...

sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(clientip) as distinctCount values(clientip) | where distinctCount>1 | lookup dnsLookup ip AS clientip OUTPUTNEW host AS hostname

So far this search only shows me the distinct IPs (as it should) but it doesn't resolve those IPs.

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

Splunk Employee
Splunk Employee

of course the field name mattes.

try
sourcetype="F5:iRule:WebAccess" NOT uat. cipher=TLSv1 | stats dc(clientip) as distinctCount values(clientip) | where distinctCount>1 | lookup dnsLookup ip AS client_ip OUTPUTNEW host AS hostname

(hopefully hostname is a field that exists for you)

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

New Member

Tried your search and that didn't work.

0 Karma
Highlighted

Re: How do I edit my props.conf and transforms.conf to do a reverse DNS Lookup on a certain field?

New Member

Also, I don't have a hostname field. The only fields I have in my stats view are distinct view and client_ip.

0 Karma