Hi All,

I have been trying to get the following search to work for weeks now, with no luck. My entire team has looked at it as well as our local user group and our Account Manager’s SE. No one has been able to figure out why the search isn’t working properly. Here is some background:

I received a “list of domain names of interest” that we want to search our firewall logs for matches on. First, I created  a lookup table: (The “ip” field is empty as per the dnsLookupfunction documentation)

Lookup Table: (/opt/splunk/etc/system/lookups/000085.csv)

fqdn, ip
atlantis-bahamas.com,
goproders.com,
hilopser.com,
kiposerd.com,
onokder.com,
pdoklbr.com,
pdokls3.com,
proslr3.com,
rescsovwe.com,
true-deals.com,

Next, I wanted to “read-in” this list of domain names, so I used the inputlookup function and created a transform for it:

Transform: (/opt/splunk/etc/system/local)

[flash_mi-000085-mw] filename = 000085.csv
index_fields_list = fqdn, ip
outputlookup_check_permission
check_permission

So now, I have the list of domain names “read-into” Splunk, but our firewall logs only use IP addresses, so I need to convert the domain names to IP addresses.I read about the built-in dnsLookup function and setup the transform for it:

Transform: (/opt/splunk/etc/system/local)

[dnsLookup] external_cmd = external_lookup.py hostip
fields_list = host, ip

At this point, my search looks like this:
| inputlookup flash_mi-000085-mw | lookup dnsLookup host as fqdn

(I changed the “host” field defined in the dnsLookup transform to “fqdn” as the firewall logs already have a “host” field defined and this was corrupting the results.)

At this point, The list of domain names has been converted to IP addresses and all is good. Next, I want to compare this list of IP addresses against our firewall logs and list any matches:

| inputlookup flash_mi-000085-mw | lookup dnsLookup host as fqdn | search sourcetype=cisco:asa dest_ip="xxx.xxx.0.0/16" OR src_ip="xxx.xxx.0.0/16" AND ip

Sourcetype=cisco:asa limits the search data to only our firewall logs. “xxx.xxx.0.0/16” as a destination or source limits the results to only records from IP addresses belonging to us. My intent of the “AND ip” at the end is to match any traffic destined or originating to/from us with an IP address from the domain name list. Unfortunately, this is NOT working.(The actual search string has a valid Class B address and not xxx.xxx.0.0/16. I removed the actual range in the email for security reasons).

There are a couple of other entries in the search intended to “clean-up” the results, but should not keep the search from functioning. Here is the entire search string:

| inputlookup flash_mi-000085-mw | lookup dnsLookup host as fqdn | search sourcetype=cisco:asa dest_ip="xxx.xxx.0.0/16" OR src_ip="xxx.xxx.0.0/16" AND ip | where fqdn!="" | table fqdn ip dest_ip src_ip

Any input on this would be greatly appreciated!

Thanks!
Jon