Splunk Search

Lookup not working with a different index

Communicator

Hello

I have written a dnslookup2 as follows, it simply just takes the ip to return the host:

external_lookup.py host2 ip

I am running this successfully on one of my searches as follows, it correctly calculates the host and returns it in the field host2

index="tmpprodweblogic" source="*access.log" | rex field=_raw "(?<ip>[0-9]+.[0-9]+.[0-9]+.[0-9]+).* \/(?<Application>[^/]*\/[^/? ]*).*" | lookup dnslookup2 ip

The dnslookup2 is defined inside a transforms.conf for this application and has permissions for all apps (I have checked it in the manager).

However, I just tried to run it through a second index that is also generated by through an inputs.conf in the same app, with this search:

index="tmpprodiislogs" *sysfaoloncbwsvc* | rex field=_raw "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | search host="slon19p10353" | lookup dnslookup2 ip 

This search does not generate an error so it must be finding dnslookup2, but it does not return a field called host2.

Am i doing something wrong? Is there a reason why it would work for one index and not the other? Is there any way to get more information out of splunk about where it is failing?

Thanks! Hazel

Tags (1)
1 Solution

Communicator

I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.

I have now fixed this by using my regex from my first query in my colleagues query as following

index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2

I have also kept the more efficient statement switch - thanks ziegfied!

This works and returns the value from dnslookup2 in host2 🙂

View solution in original post

Communicator

I have found the answer to this question - looking at the regex in the second instance written by my colleague, the regex is not strong enough and allows for spaces before/after the IP address to be included.

I have now fixed this by using my regex from my first query in my colleagues query as following

index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex field=_raw "(?<ip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\.*" | dedup ip | lookup dnslookup2 ip | fields ip host2

I have also kept the more efficient statement switch - thanks ziegfied!

This works and returns the value from dnslookup2 in host2 🙂

View solution in original post

Influencer

Does the following search give you a list of the IPs?

index="tmpprodiislogs" *sysfaoloncbwsvc* host="slon19p10353" | rex "CSFB[^0-9]*(?<ip>[^A-Z]*)" | dedup ip | table ip

(I've changed the order, because reducting the host before the rex/dedup command is more efficient)

0 Karma

Communicator

This does bring back the ips, but I am trying to get the dnslookup to work. If I add lookup dnslookup2 ip, it just brings back an empty host2. Why would this not work on this search but on the other?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!