How do I do a reverse DNS lookup in Splunk?

daniel333 · ‎01-22-2019

All,

I have the host name, so I am looking for the IP of that host. Not sure how to do that.

any help?
-Daniel

peiffer · ‎04-05-2019

There has been a lookup dnslookup in splunk for a long time now.
name to ip:

| lookup dnslookup clienthost AS host OUTPUT clientip as ip

ip to name:

| lookup dnslookup clientip AS ip OUTPUT clienthost AS host

adonio · ‎01-22-2019

hello there
if you have lookup table that contains the ip and the host and the fields are: ip, host lets call it dns.csv and you have a search that capture the host
you can run the following search using the lookup command
... your search to find host ... | lookup dns.csv host OUTPUTNEW ip ...

very nice explanation here:
https://answers.splunk.com/answers/588630/understanding-the-lookup-command.html

hope it helps

Michael · ‎02-07-2019

That's not a reverse DNS lookup, that's a table lookup.

I think the assumption (and MY question) is that you don't have a csv file...

Question not answered.

peiffer · ‎05-27-2021

Answered 4/5/2019

| lookup dnslookup clientip AS ip OUTPUT clienthost AS host

How do I do a reverse DNS lookup in Splunk?

Improve Your Security Posture

Maximize the Value from Microsoft Defender with Splunk

This Week's Community Digest - Splunk Community Happenings [6.27.22]