- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- IF DNS searched then lookup IP to allow search on ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IF DNS searched then lookup IP to allow search on IP in index
I have an App that allows users to enter IP addresses and find if the connections between source and destination have been allowed.
I thought it would be useful if the user could enter a DNS entry as this is more user friendly so I started experimenting with searches that use the external_lookup.py script. I started off with this one just to prove the script worked:
index=network srcip=10.1.12.123 AND dstip=10.1.22.10 AND (scrport=80 OR dstport=88) AND Built
| lookup dnsLookup ip as srcip OUTPUT host AS scrhost
| lookup dnsLookup ip as dstip OUTPUT host AS dsthost
| table scrhost,srcport,dsthost,dstport,host
All well and good so far but what if the user enters a DNS name in the applications form and the search fields srcip and/or dstip become DNS names instead of IP addresses.
How do I tell dnsLookup to look for host? Do I even bother, would it be better to convert the DNS name back to an IP and keep the lookups as they are?
I know that external_lookup.py will perform Reverse DNS lookups but I can't get my head round how achieve this in this situation.
Should I just do a lookup for both then display the DNS returns only (I don't want the IP addresses in the results only the DNS)?
Any thoughts are welcome.
It probably worth pointing out that the index contains no DNS entries only IP addresses.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So that my answer makes some sense, assume that your form accepted a source host name or ip as input from the user and put it in a token named $srcinput$
Your search could then look like this
index=xyz and other search terms
| eval hostinput = $srcinput$
| eval hostip = if(match(hostinput,"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$"),hostinput,null())
| eval hostname = if(isnull(hostip),hostinput,null())
| lookup dnsLookup ip as hostip host AS hostname OUTPUT ip as srcipToMatch
| where srcip = srcipToMatch
You could also do something similar for the destination ip. Note that dnsLookup can work with either the ip or host as input. The eval commands make sure that either ip or host is supplied to the lookup, but not both.
I am not entirely sure that this will work,,,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi lguinn, I have been working with your answer on and off today and it is a good start and has got me thinking. The answer seems to have a problem outputting host as hostname if I set $srcinput as a DNS name. I may have interpreted your answer incorrectly as I can't see why the "where" command is needed or why. I am currently building the query in Search as I can't get the App to use external_lookup.py (I think I need to restart Splunk to accept the App changes, new transforms.conf etc). Do I need to do another search after the where once I have populated srcipToMatch?
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
