Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
Reverse DNS Lookups for Host Entries
When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry...
Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the enrichment of events in Splunk with data from external sources. Those sources can be a static CSV file (HTTP error codes is a good example), or a python script that is called at searchtime and grabs data from whereever you need it to. The python script must take in a CSV data structure and spit a CSV data structure back to Splunk.
Little did we know, Splunk included a file in $SPLUNK_HOME/etc/system/bin/ called "external_lookup.py" which just happens to resolve hostnames and IPs. That python script takes two possible pieces of data "host" and "ip" -- and when you're sending data to it via the "lookup" search command or in the config files, the field name HAS to be "host" or "ip".
You can choose to run the lookup via a search command "| lookup dnsLookup ip AS host OUTPUT host as hostname" or wire it in to run automatically as i have done below.
Note: either choice, you need to make sure the lookup is defined in "TRANSFORMS.CONF" as below.
1. mkdir $SPLUNK_HOME/etc/APPNAME/lookups (where APPNAME = search, for example)
2. copy $SPLUNK_HOME/etc/system/bin/external_lookup.py to $SPLUNK_HOME/etc/search/lookups
3. create/add to $SPLUNK_HOME/etc/search/local/props.conf a stanza to drive the lookup
PROPS.CONF
[firepass_log] <--set this to the sourcetype you'd like the lookup to occur on.
#lookups will apply to this sourcetype automatically
LOOKUP-rdns = dnsLookup ip AS host OUTPUT host as hostname
# "dnsLookup" will be defined in props.conf. This syntax reads "run dnsLookup, send it an "ip" address which we are going to get from the "host" field in the Splunk event, then when the lookup occurs, return the "host" information back to Splunk in the form of new field attached to each relevant event, called "hostname"
#In this case, we are doing reverse DNS lookup (get hostname from address) If you wanted to do forward DNS lookup (get ip address from hostname) this entry will work
LOOKUP-fdns = dnsLookup host OUTPUT ip
# This syntax reads "run dnsLookup, send it an hostname from Splunk's "host" field by each event, then when the lookup occurs, return the "ip" address back to Splunk in the form of new field attached to each relevant event, called "ip"
4. create/add to $SPLUNK_HOME/etc/search/local/transforms.conf a stanza to define details about the lookup.
TRANSFORMS.CONF
[dnsLookup]
# this stanza name will be called by your entry in props.conf and IS case sensitive
external_cmd = external_lookup.py host ip
fields_list = host, ip
# fields_list is the list of fields that will come back from the script and end up in your event. If you want these fields renamed, in your props.conf (As we did above), you can rename them with OUTPUT (field) as (newfieldname).
Check it out!
Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called "Lookups". Lookups allow for the enrichment of events in Splunk with data from external sources. Those sources can be a static CSV file (HTTP error codes is a good example), or a python script that is called at searchtime and grabs data from whereever you need it to. The python script must take in a CSV data structure and spit a CSV data structure back to Splunk.
Little did we know, Splunk included a file in $SPLUNK_HOME/etc/system/bin/ called "external_lookup.py" which just happens to resolve hostnames and IPs. That python script takes two possible pieces of data "host" and "ip" -- and when you're sending data to it via the "lookup" search command or in the config files, the field name HAS to be "host" or "ip".
You can choose to run the lookup via a search command "| lookup dnsLookup ip AS host OUTPUT host as hostname" or wire it in to run automatically as i have done below.
Note: either choice, you need to make sure the lookup is defined in "TRANSFORMS.CONF" as below.
1. mkdir $SPLUNK_HOME/etc/APPNAME/lookups (where APPNAME = search, for example)
2. copy $SPLUNK_HOME/etc/system/bin/external_lookup.py to $SPLUNK_HOME/etc/search/lookups
3. create/add to $SPLUNK_HOME/etc/search/local/props.conf a stanza to drive the lookup
PROPS.CONF
[firepass_log] <--set this to the sourcetype you'd like the lookup to occur on.
#lookups will apply to this sourcetype automatically
LOOKUP-rdns = dnsLookup ip AS host OUTPUT host as hostname
# "dnsLookup" will be defined in props.conf. This syntax reads "run dnsLookup, send it an "ip" address which we are going to get from the "host" field in the Splunk event, then when the lookup occurs, return the "host" information back to Splunk in the form of new field attached to each relevant event, called "hostname"
#In this case, we are doing reverse DNS lookup (get hostname from address) If you wanted to do forward DNS lookup (get ip address from hostname) this entry will work
LOOKUP-fdns = dnsLookup host OUTPUT ip
# This syntax reads "run dnsLookup, send it an hostname from Splunk's "host" field by each event, then when the lookup occurs, return the "ip" address back to Splunk in the form of new field attached to each relevant event, called "ip"
4. create/add to $SPLUNK_HOME/etc/search/local/transforms.conf a stanza to define details about the lookup.
TRANSFORMS.CONF
[dnsLookup]
# this stanza name will be called by your entry in props.conf and IS case sensitive
external_cmd = external_lookup.py host ip
fields_list = host, ip
# fields_list is the list of fields that will come back from the script and end up in your event. If you want these fields renamed, in your props.conf (As we did above), you can rename them with OUTPUT (field) as (newfieldname).
Check it out!
Views: 230
Comment
© 2012 Created by Michael Wilde.
You need to be a member of splunkninja to add comments!
Join splunkninja