In my fw queries, I use two lookups in my queries, one to a lookup file that I created and manage called server_ip_lookup... and then a second one that does a dns lookup on source and destination

index="internetfirewalls" AND sourcetype="cisco:asa"

|lookup server_ip_lookup IPAddress as src_ip
output DeviceName as "Src_Device"
|lookup server_ip_lookup IPAddress as dest_ip
output DeviceName as "Dest_Device"

|stats count by dest_ip, Dest_Device, dest_port, src_ip, Src_Device, action, rule_id, transport
|sort -count

|lookup dnslookup clientip as src_ip OUTPUT clienthost as Src_Resolved
|lookup dnslookup clientip as dest_ip OUTPUT clienthost as Dest_Resolved
| eval Src_Device = if(Src_Device="-", Src_Resolved, Src_Device)
| eval Dest_Device = if(Dest_Device="-", Dest_Resolved, Dest_Device)
|table count, transport, src_ip, Src_Device, dest_ip, Dest_Device, dest_port, action, rule_id