So I have a search that gives me IP addresses of internal servers. Would like to modify it so that it gives me the IP and DNS name of the servers.
Looking through other Answers, I have created a transforms.conf in `Splunk\etc\system\local` with the below.
[dnsLookup]
external_cmd = external_lookup.py host ip
fields_list = host, ip
But when I search with:
index=* src_ip="10.0.0.0/8" YouTube.com sourcetype!=optiv_threat_list | lookup dnslookup ip as dst
I get this error:
Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table
I know I am missing something, but not sure what.
Thanks
↧
How to get my search that currently gives me IP addresses to also give me the DNS name of servers?
↧