Hello,
i have problem with dnslookup, i want to check what is the hostname of the ip, the ip is the ip address of host which is sending to one of the indexers. And the dnslookup in the search head is not able to resolve it, for example the dns lookup on the indexer are able to do so. I'm looking forward for some solution, i was searching for possibility to use dnslookup or search from indexer and get back the result but i haven't found anything.
Maybe some forwarders are behind NAT, that is why you cannot see their real address but NAT address.
You can try finding the missing host in the second search results and see the IP address. This may give an idea.
Sorry for so long time, your answer is quite good but not all ip are able to be resolve in this way. Do you know why metric don't have all the host ip informations and is it any other way to succeed?
Hi @Astorn,
I think your indexer and search head are using different dns servers or domain settings are different. You can find the hostname of that ip address from Metrics logs using below search.
index=_internal sourceIp=<ip> component=Metrics group=tcpin_connections
| head 1
| table ip hostname
You can also use similar search to create a lookup that can be used in your searches;
index=_internal component=Metrics group=tcpin_connections
| stats values(hostname) as hostname by sourceIp