Solved: How to get my search that currently gives me IP ad...

bworrellZP · ‎04-29-2016

So I have a search that gives me IP addresses of internal servers. Would like to modify it so that it gives me the IP and DNS name of the servers.

Looking through other Answers, I have created a transforms.conf in Splunk\etc\system\local with the below.

[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip

But when I search with:

index=*  src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list  | lookup dnslookup ip as dst

I get this error:

Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table

I know I am missing something, but not sure what.

Thanks

bworrellZP · ‎05-04-2016

index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list |dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname

That was the ultimate solution

View solution in original post

bworrellZP · ‎05-04-2016

index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list |dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname

That was the ultimate solution

woodcock · ‎04-29-2016

In the latest versions of splunk this is now built-in and enabled by default so there is no need to add/configure anything. If you are only interested in getting it working and you are on an older version of Splunk, you can download this app:
https://splunkbase.splunk.com/app/1535/

bworrellZP · ‎04-29-2016

I am running 6.3.1 currently.

Before adding that to the Transform, still did not get any ip to dns resolution. Since I was looking at an old answer, is the search format different as well?

woodcock · ‎04-29-2016

The built-in one uses clientip and clienthost so you should use this, assuming you have a field called dst:

index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup clientip AS dst

bworrellZP · ‎05-03-2016

The example I was looking at used dst, figured it was a Splunk field of note. looking, guess it is not.

So if I do not have a field of that name, and wanted to use Hostname instead, how would I go about adding it for manual dynamic searches like this?

woodcock · ‎05-03-2016

Like this:

index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup clientip AS YourFIeldnameHereForDottedQuadIP

So if your field Hostname contains DottedQuads, then this:

index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup clientip AS Hostname

bworrellZP · ‎05-04-2016

Hrm, so then if this was to work, I would have a new field name created, due to the AS statement, when I look at my fields list in my search, correct?

If that is the case, then I must have something wrong, as there is no new field, regardless of the name I use.

bworrellZP · ‎05-04-2016

Figured it out, something was missing.

index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list |dedup src_ip | lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname

That worked and gave me the hostname field.

Document for this new lookup was missing that, found it on a google search, in someone's blog.

How to get my search that currently gives me IP addresses to also give me the DNS name of servers?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life