Splunk Search

Lookup not working with a different index

Hazel
Communicator

Hello

I have written a dnslookup2 as follows, it simply just takes the ip to return the host:

external_lookup.py host2 ip

I am running this successfully on one of my searches as follows, it correctly calculates the host and returns it in the field host2

index="tmpprodweblogic" source="*access.log" | rex field=_raw "(?<ip>[0-9]+.[0-9]+.[0-9]+.[0-9]+).* \/(?<Application>[^/]*\/[^/? ]*).*" | lookup dnslookup2 ip

The dnslookup2 is defined inside a transforms.conf for this application and has permissions for all apps (I have checked it in the manager).

However, I just tried to run it through a second index that is also generated by through an inputs.conf in the same app, with this search:

index="tmpprodiislogs" *sysfaoloncbwsvc* | rex field=_raw "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | search host="slon19p10353" | lookup dnslookup2 ip 

This search does not generate an error so it must be finding dnslookup2, but it does not return a field called host2.

Am i doing something wrong? Is there a reason why it would work for one index and not the other? Is there any way to get more information out of splunk about where it is failing?

Thanks! Hazel

Tags (1)
1 Solution

Hazel
Communicator

I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.

I have now fixed this by using my regex from my first query in my colleagues query as following

index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2

I have also kept the more efficient statement switch - thanks ziegfied!

This works and returns the value from dnslookup2 in host2 🙂

View solution in original post

Hazel
Communicator

I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.

I have now fixed this by using my regex from my first query in my colleagues query as following

index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2

I have also kept the more efficient statement switch - thanks ziegfied!

This works and returns the value from dnslookup2 in host2 🙂

ziegfried
Influencer

Does the following search give you a list of the IPs?

index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | table ip

(I've changed the order, because reducting the host before the rex/dedup command is more efficient)

0 Karma

Hazel
Communicator

This does bring back the ips, but I am trying to get the dnslookup to work. If I add lookup dnslookup2 ip, it just brings back an empty host2. Why would this not work on this search but on the other?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...