TechTip: How to do DNS lookups in Splunk

Being able to perform DNS lookups, either forward or reverse, within your Splunk searchers can be very helpful for identifying indicators, or correlating different types of logs. There are a number of apps available on Splunk Base (e.g. Forensic Investigator, Network Toolkit) that extend this functionality, but as it turns out - this is also supported natively in the form of an external lookup called "dnslookup":

To use this lookup, all you need to do is pipe your search into the "lookup" command, selecting the field corresponding to either reverse ("clienthost") of forward ("clientip") lookup, and an existing field to run the lookup on.

Forward Lookup

| lookup dnslookup clienthost as hostname

Where "hostname" is the field in your search, containing domain names that you're looking to get the IP addresses for. Resulting IP addresses will be added to each event as the "clientip" field.

Note that in cases where multiple IP addresses are returned by the lookup, the "clientip" field will be a multivalue field and will need to be handled as such.

Reverse Lookup

| lookup dnslookup clientip as ipaddress

Where "ipaddress" is the field in your search, containing domain names or hostnames that you're looking to get the IP addresses for. Resulting domain names will be added to each event as the "clienthost" field.

Tip

If you want to run DNS lookups against a field containing a URL, you need to split the domain name out of it first. This can be accomplished using a couple of eval commands:

| eval temp=split(url_field,"/") | eval domain=mvindex(temp,0)

Then just run the "dnslookup" lookup against the "domain" field.