This app is archived. App archiving documentation

dnslookup

Nothing too fancy here, this app just provides two commands: dnslookup and serviceslookup An example search leveraging the netstat data from the *nix app and converting ip addresses into more human friendly dns entries (along with looking up the port servie name in /etc/services) index=os source=netstat | multikv fields LocalAddress ForeignAddress | rex "(?i)(?P<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex "(?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.(?P<PORT>\d+)" | search IP!="*.0" | top IP, PORT limit=0 | dnslookup reverse IP fqdn | serviceslookup PORT SERVICE | table IP, fqdn, PORT, SERVICE, count dnslookup usage: dnslookup <reverse|forward> <input field> <output field> servicelookup <input field> <output field> <optional services file path> Hope you find it useful (or if it even works), let me know how you go.

Built by Travis Freeland

Latest Version 0.1

May 21, 2013

Compatibility

Splunk Enterprise

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0, 8.2, 8.1

Rating

4

(11)

Log in to rate this app

Support

Not Supported

Nothing too fancy here, this app just provides two commands: dnslookup and serviceslookup An example search leveraging the netstat data from the *nix app and converting ip addresses into more human friendly dns entries (along with looking up the port servie name in /etc/services) index=os source=netstat | multikv fields LocalAddress ForeignAddress | rex "(?i)(?P<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | rex "(?i)\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}.(?P<PORT>\d+)" | search IP!="*.0" | top IP, PORT limit=0 | dnslookup reverse IP fqdn | serviceslookup PORT SERVICE | table IP, fqdn, PORT, SERVICE, count dnslookup usage: dnslookup <reverse|forward> <input field> <output field> servicelookup <input field> <output field> <optional services file path> Hope you find it useful (or if it even works), let me know how you go.