Blogs: DNS

When Splunk indexes, by default is going to take the hostname/ip that exists directly in the logfile entry…

Often, you would like to have the IP address resolved to a hostname, or vice versa. With Splunk 4.0 came a cool feature called “Lookups“. Lookups allow for the enrichment of events in Splunk with data from external sources. Those sources can be a static CSV file (HTTP error codes is a good example), or a python script that is called at searchtime and grabs data from whereever you need it to. The python script must take in a CSV data structure and spit a CSV data structure back to Splunk.

Little did we know, Splunk included a file in $SPLUNK_HOME/etc/system/bin/ called “external_lookup.py” which…