I recently came across a very handy command in Splunk, the lookup command. Thanks to this website I was able to learn how to use the lookup command to give me more relevant results. Instead of Splunk listing a bunch of IP addresses, it now returns a column with everything it could resolve. Seeing resolved domain names alongside IP addresses gives much more meaning to the data.
The command is as follows:
<search> | lookup dnslookup clientip as <IP Field> OUTPUT clienthost as <Resolved Hostname>
- <search> is your original search
- <IP Field> is the field which contains the IP addresses you want to do name lookups on
- <Resolved Hostname> is the name of the column which will contain your resolved hostnames.
You can order your search results in a table if you do the above command before your stats or table command. The example below is to parse some firewall logs from a single source host and perform lookups on them.
<search> | lookup dnslookup clientip as dstip OUTPUT clienthost as Resolved_hostname | stats count by dstip Resolved_hostname dstport proto action
Be careful when using the stats command, though. If the IP address is local it will have a blank resolved hostname, which will exclude it from the stats table.
Thanks for this. I was mucking around with the same post, and your clarification helped. Although, it turns out I had that part right, and wasn’t modifying my count/table outputs properly. Still, the confirmation of the correct syntax in your article helped – much appreciated!
“If they IP address is local it will have a blank resolved hostname, which will exclude it from the stats table.”
Use fillnull before the stats command
Ah yes that would work. Thanks for that!