Splunk Search

How to resolve IP to external hostname and list it in a field?

chrisprangnell
Path Finder

Hello,

I've been reading a lot of posts here, but I seem to be missing something because I'm not understanding.

Search Rule

ACCEPT |  lookup dnslookup clientip AS src_ip OUTPUT clienthost as Hostname

Output

5/13/16
2:37:03.000 PM  
2 698177307011 eni-8eceafeb 54.187.193.193 172.31.8.32 443 50656 6 8 3684 1463114223 1463114226 ACCEPT OK
dest_ip = 172.31.8.32 host = ip-10-20-6-215 src_ip = 54.187.193.193
5/13/16

I'm not getting any new field called "hostname" and it certainly isn't populating with a resolved DNS.

What am I missing? I want to see all the resolved IP's hostnames in a field populated.

Any assistance appreciated.

0 Karma

jkat54
SplunkTrust
SplunkTrust

Please go to settings -> lookups -> lookup definitions and see if you have a lookup named "dnslookup"

If it is there, make sure it is enabled and shared with the desired permissions.

Then, make sure the splunk server that is executing the lookup has proper DNS servers setup.

Finally check "index=_internal log_level=warn* OR log_level=err*" and "index=_internal external_lookup.py" for any errors, and let us know what you find.

0 Karma

sundareshr
Legend

In addition, insure dnslookup definition is mapped to the right .csv file. Also remember the field names (in & out) are case-sensitive. Its probably just a typo, but you have Hostname with upper & lower "h" in your question.

0 Karma

jkat54
SplunkTrust
SplunkTrust

@sundareshr, the dnslookup lookup is an external lookup that uses a python script. If the op doesnt have it, then it's probably due to their version of splunk. It was news to me as well, but I do have this lookup in splunk 6.4 on my local machine.

0 Karma

sundareshr
Legend

Good to know. Thanks.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...

Getting Started with Splunk Artificial Intelligence, Insights for Nonprofits, and ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Observability Cloud’s AI Assistant in Action Series: Identifying Unknown ...

Agentic AI powers the Splunk AI Assistant within the Splunk Observability Cloud interface to help you quickly ...