Well, apparently had errors in constructing the "input / output" to splunk.
So I decided to embed the code of the function "rlookup ()" in the file dnslookup.py
Even adding the parameter dns server that can be sent from the splunk search. The code was me:
import csv
import sys
import commands
import socket
import dns.resolver
import string
import re
from socket import gethostbyaddr
from socket import gethostbyname
def rlookup(ipaddy,ipdns):
ipaddy = str(ipaddy)
try:
my_resolver = dns.resolver.Resolver()
my_resolver.nameservers = [ipdns] #seperate nameservers by ',' example: '8.8.8.8','8.8.8.6','etc'
ipaddy = ipaddy.split('.')
ipaddy.reverse()
ipaddy = string.join(ipaddy, '.')
ipaddy = ipaddy + '.in-addr.arpa'
hostname = str(my_resolver.query(ipaddy,"PTR")[0])
return hostname
except:
return ''
def main():
try:
debug=False
#debug=True
usage="usage: dnslookup <reverse|forward> <input field> <output field>"
if len(sys.argv)>=4:
method=sys.argv[1]
inputfield=sys.argv[2]
outputfield=sys.argv[3]
dnsserver=sys.argv[4] #Adding the argument dns server
else:
print(usage)
sys.exit(1)
#consume the extraneous info that splunk sends through
while True:
line = sys.stdin.readline()
if not line.strip(): break
if debug:
fo=open("/tmp/moo.log",'w')
first=True
r = csv.reader(sys.stdin)
for row in r:
if first:
headers=row
if debug:
headers_string=str(headers)
fo.write("headers_string: " + headers_string + "\n")
fo.write("index of inputfield (" + inputfield + "): " + str(headers.index(inputfield)) + "\n")
headers.insert(headers.index(inputfield)+1, outputfield)
if debug:
headers_string=str(headers)
fo.write("appended headers_string: " + headers_string + "\n")
csv.writer(sys.stdout).writerow(headers)
first=False
else:
if debug:
row_string=str(row)
fo.write("row: " + row_string + "\n")
fo.write("address to resolve: " + row[headers.index(inputfield)] + "\n")
try:
if method == "reverse":
# Condition to resolve IP addresses only, and omit values that are not IP. Requires import re
myipinput = row[headers.index(inputfield)]
is_valid = re.match("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$", myipinput)
if is_valid:
# Calling the function rlookup including dns server
fqdn=rlookup(row[headers.index(inputfield)],dnsserver)
else :
fqdn=myipinput
elif method == "forward":
fqdn=gethostbyname(row[headers.index(inputfield)])
else :
fqdn=usage
except:
fqdn=row[headers.index(inputfield)]
if debug:
fo.write("gethostby... result: " + fqdn + "\n")
fo.write("\n")
row.insert(headers.index(inputfield)+1, fqdn)
if debug:
row_string=str(row)
fo.write("row: " + row_string + "\n")
fo.write("address to resolve: " + row[headers.index(inputfield)] + "\n")
csv.writer(sys.stdout).writerow(row)
if debug:
fo.close()
except:
import traceback
stack = traceback.format_exc()
if debug:
fo=open("/tmp/moo.log",'a')
fo.write(stack)
fo.close()
results = splunk.Intersplunk.generateErrorResults("Error : Traceback: " + str(stack))
if __name__ == '__main__':
main()
Now I make them search like this: host=172.17.18.19 src_ip=* | dnslookup reverse src_ip hostname "172.24.24.24"
Where hostname is the output alias resolved.
And "172.24.24.24" is any dns server
To whom it may be useful.
John thank you very much for your post, I was a great help, and I will serve my splunk is multiclient and need to resolve different DNS servers.
Regards!!
Jorge
... View more