So I have a search that gives me IP addresses of internal servers. Would like to modify it so that it gives me the IP and DNS name of the servers.
Looking through other answers, I have created a transforms.conf in `Splunk\etc\system\local` with the below.
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip
But when I search with
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup ip as dst
I get `Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table`. as an error.
I know I am missing something, but not sure what.
Thanks
↧