Does the target need to be an existing extraction?
For example:
LOOKUP-rdns = dnsLookup ip AS Client_Address
Does "Client_Address" have to be an existing field that's extracted (and presumably populated with IP addresses) -- or is this a new field that is created?
(in either case, still not getting this to work...)
/opt/splunk/etc/system/local/transforms.conf
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip
/opt/splunk/etc/system/local/props.conf
[access_log-too_small]
LOOKUP-rdns = dnsLookup ip AS Client_Address
Also tried "source_ip" (v.s. Client_Address) because it's an existing extraction that's populated with IP addresses, yes appearing as the sourcetype "access_log-too_small".
... View more