Splunk Search

Dnslookup can't resolve ip of events from indexers to hostname because there are in another network

Astorn
Loves-to-Learn

Hello,

i have problem with dnslookup, i want to check what is the hostname of the ip, the ip is the ip address of host which is sending to one of the indexers. And the dnslookup in the search head is not able to resolve it, for example the dns lookup on the indexer are able to do so. I'm looking forward for some solution, i was searching for possibility to use dnslookup or search from indexer and get back the result but i haven't found anything.

 

Labels (2)
0 Karma

scelikok
SplunkTrust
SplunkTrust

Maybe some forwarders are behind NAT, that is why you cannot see their real address but NAT address. 

You can try finding the missing host in the second search results and see the IP address. This may give an idea.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma

Astorn
Loves-to-Learn

Sorry for so long time, your answer is quite good but not all ip are able to be resolve in this way. Do you know why metric don't have all the host ip informations and is it any other way to succeed?

0 Karma

scelikok
SplunkTrust
SplunkTrust

Hi @Astorn,

I think your indexer and search head are using different dns servers or domain settings are different. You can find the hostname of that ip address from Metrics logs using below search. 

index=_internal sourceIp=<ip> component=Metrics group=tcpin_connections 
| head 1 
| table ip hostname

You can also use similar search to create a lookup that can be used in your searches;

index=_internal component=Metrics group=tcpin_connections 
| stats values(hostname) as hostname by sourceIp
If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...