Splunk Search

Why is a DNS Lookup through a text input form not working?

tmeader
Contributor

Been trying for the past day and a half now to get this search working to no avail. This search is one of several on a dashboard we're using to gather some host information for compliance checking. The input value of the form is just a single text field, where the user can put in either an IP or FQDN-style name to be used to lookup the value of the "host" field in Splunk. I've been trying to add the ability for Splunk to automatically lookup any IP's that are entered in DNS (using the usual external lookup), and then use that value as well in searching for the "host". Here's the search I'm using ($hosttag$ is obviously the name of the textfield input):

host=$hosttag$ OR host='[| eval clientip="$hosttag$" | lookup dnslookup clientip | rex field=clienthost "(?<shorthost>[^\.]+)\..*" | return shorthost]*' | stats count(sourcetype) by sourcetype

As you can see, I'm trying to get the FQDN, strip it back to the first stanza, and then return that back from the subsearch. This does not appear to be working at all though. There's never a value returned from the subsearch. I can confirm that running the external lookup with the data separately works fine, but this refuses to find anything.

Likewise, I've tried a different method, in case the "return" was possibly messing something up:

host=$hosttag$ OR [| eval clientip="$hosttag$" | lookup dnslookup clientip | rex field=clienthost "(?<shorthost>[^\.]+)\..*" | rename shorthost as host | fields + host] | stats count(sourcetype) by sourcetype

This version wouldn't have the "*" wildcard at the end of the returned host value from the subsearch, but based on our test data, it should still be finding values... it's not.

Could anyone point out what's going on here? Haven't had too many issues with dnslookups in the past, but this is getting INCREDIBLY frustrating.

Thanks in advance.

masonmorales
Influencer

Does this get you any closer?

 host=$hosttag$ 
 | lookup dnslookup clientip AS host OUTPUT clienthost 
 | rex field=clienthost "(?<shorthost>[^\.]+)\..*" 
 | append [search *shorthost* OR clienthost]
stats count(sourcetype) by sourcetype
0 Karma

tmeader
Contributor

Unfortunately, no.

Unless I'm following it wrong, there would be no value for "host" to be put into dnslookup in this version, assuming that "host=$hosttag$" returned no results with the IP lookup (which is the reason I'd want to do the dnslookup to begin with)? As such, there is still never any results returned. I seem to think a subsearch would be the way to go... perhaps I'm wrong there. But I mainly just don't understand why dnslookup isn't returning anything when being fed a valid value in the first examples. About to break down and ask support on this... getting incredibly frustrated on something that ought to be extremely simple.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...