Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

having some trouble with a lookup table.

mloven
Path Finder
‎09-28-2011 10:44 PM

Hi all. I'm having some issues getting a lookup table to work properly. Here are the pertinent details:

I have a csv file (called combined.csv) in /opt/splunk/etc/apps/search/lookups that has two columns. It looks like this:

ipaddress,resolved
192.168.1.1,host1
192.168.1.2,host2
192.168.1.3,host3
and so on...

I have this in my /opt/splunk/apps/search/local/transforms.conf:

[dns_lookup]
filename = combined.csv
max_matches = 1

And this in my /opt/splunk/apps/search/local/props.conf:

[dns_lookup]
LOOKUP-dns = dns_lookup ipaddress OUTPUT resolved

I've restarted splunk multiple times.

Basically, I followed the instructions for using a static lookup table here but I'm not getting the results I was shooting for. I was hoping that the "resolved" field would show up when I did a search, but I'm seeing no new fields.

I don't really even know where to begin troubleshooting this one. Anyone have any suggestions?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎09-29-2011 01:52 PM

Make sure that field "ipaddress" is also in your data with a sourcetype of "syslog". The "ipaddress" field with a sourcetype of syslog has to match the first column in your combined.csv file of "ipaddress". Here is an example of what should work:

Sample syslog:
Sep 29 15:57:36 acmepayroll sshd[14867]: Failed password for invalid user rpm from 110.172.158.2 port 33907 ssh2

The "110.172.158.2" must be assigned to the field "ipaddress". If it is not then you can pull the field in the transforms.conf file.

props.conf:

    [syslog]
    LOOKUP-dns = dns_lookup ipaddress OUTPUTNEW resolved
    REPORT-dns = getip

transforms.conf

[dns_lookup]
filename = combined.csv
max_matches = 1
min_matches = 1

[getip]
REGEX = from\s+([^\s]+)
FORMAT = ipaddress::$1

Log back into Splunk and you should be able to run the following search:

sourcetype=syslog | table ipaddress, resolved

View solution in original post

Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎09-29-2011 01:52 PM

Make sure that field "ipaddress" is also in your data with a sourcetype of "syslog". The "ipaddress" field with a sourcetype of syslog has to match the first column in your combined.csv file of "ipaddress". Here is an example of what should work:

Sample syslog:
Sep 29 15:57:36 acmepayroll sshd[14867]: Failed password for invalid user rpm from 110.172.158.2 port 33907 ssh2

The "110.172.158.2" must be assigned to the field "ipaddress". If it is not then you can pull the field in the transforms.conf file.

props.conf:

    [syslog]
    LOOKUP-dns = dns_lookup ipaddress OUTPUTNEW resolved
    REPORT-dns = getip

transforms.conf

[dns_lookup]
filename = combined.csv
max_matches = 1
min_matches = 1

[getip]
REGEX = from\s+([^\s]+)
FORMAT = ipaddress::$1

Log back into Splunk and you should be able to run the following search:

sourcetype=syslog | table ipaddress, resolved

Reply
Solved! Jump to solution

mloven
Path Finder
‎09-29-2011 02:43 PM

That was the ticket. I wasn't aware that the column name in my lookup table needed to be a valid field. I changed it to "host" and now it works like a champ.

Thanks all!

0 Karma
Reply
Solved! Jump to solution

hjwang
Contributor
‎09-28-2011 11:39 PM

make sure you have the sourcetype dns_lookup, because [stanza_name] is the sourcetype, host, or source to which this lookup applies and can't use regex-type syntax.

Reply
Solved! Jump to solution

mloven
Path Finder
‎09-29-2011 01:25 PM

ok, so I changed my props.conf to

[syslog]
LOOKUP-dns = dns_lookup ipaddress OUTPUT resolved

I missed the part where that stanza name had to refer to the sourcetype (or source, host, etc). All of the events on this system are of the syslog sourcetype.

I've restarted again, but I'm still getting the same results.

EDIT... sorry... can't change the formatting in my comment. That props.conf stanza should look exactly like my original one, except the [dns_lookup] has been replaced by [syslog].

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-29-2011 06:19 AM

Well, you can actually use a regex-like syntax for [host::] and [source::] (and also sourcetype stanzas if you really must).

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 4)

Welcome back to Splunk Classroom Chronicles, our ongoing series where we shine a light on what really happens ...

From GPU to Application: Monitoring Cisco AI Infrastructure with Splunk Observability ...

AI workloads are different. They demand specialized infrastructure—powerful GPUs, enterprise-grade networking, ...

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...