Splunk Search

external_lookup.py fails when one input field missed

are0002
Path Finder

Hello,

I use external_lookup (dnslookup) for a host source info.
I have configured this automatic lookup: dnslookup host AS dst_hostname ip AS dst_ip OUTPUT host AS AAA
This host source has two sourcetypes: pan_threat and pan_traffic
pan_threat has both field inputs: dst_ip and dst_hostname and pan_traffic only has dst_ip

When I do a search, only the pan_threat sourcetype has the new output field AAA

If I change the automatic lookup excluding host as input: dnslookup ip AS dst_ip OUTPUTNEW host AS AAA

Then both sourcetypes has the new output field AAA.

There is any way to change the inputs no mandatory?

Regards

Tags (1)
0 Karma
1 Solution

BobM
Builder

The easiest option for you is to set up a different lookup for each sourcetype. They can still be based on the same csv table but with different input fields.

If they were the same sourcetype the best option would be to use the fillnull command

index=x sourcetype=y dst_ip=* | fillnull value="Unknown" dst_hostname | where  AAA=123

but for this to work, you would need lines in your lookup table that match your filled value.

View solution in original post

gcoles
Communicator

I have mine set up like this:

AUTO_LOOKUP-A: dnslookup clientip AS host OUTPUT clienthost AS hostname
AUTO_LOOKUP-B: dnslookup clienthost AS host OUTPUT clientip AS ip

I set up lookup A to apply to datasets where the hostname is usually an IP address, and lookup B to datasets that contain a hostname instead of an IP for the host field.

0 Karma

are0002
Path Finder

Hi BobM

I have not csv table, I am using a Lookup definition (using a python script). And both sources are from different sourcetype.

Regards,

0 Karma

BobM
Builder

The easiest option for you is to set up a different lookup for each sourcetype. They can still be based on the same csv table but with different input fields.

If they were the same sourcetype the best option would be to use the fillnull command

index=x sourcetype=y dst_ip=* | fillnull value="Unknown" dst_hostname | where  AAA=123

but for this to work, you would need lines in your lookup table that match your filled value.

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...