In our situation, "host" may be an IP OR it may be a FQDN. I need this to be an IP so I created an automatic lookup for a specific sourcetype using external.py and:> dnslookup clienthost AS host OUTPUTNEW clientip AS host_ip
I have another lookup that attempts to match the IP provided into a group in our organization. (Also using the same sourcetype).> ip_to_group Subnet AS host_ip OUTPUT Group AS host_group
This only seems to work sometimes. For example, I had a specific set of 200 events from a single "host". Using automatic lookups, it would only provide the group in 79% of the events. If I added the second lookup to the search string, it would bump that up to 100%.
I thought I had read that props.conf is done in parallel and that might provide a reason for this behavior - but I didn't see anything in the docs that supported that. How can I make sure that the DNS lookup is finished before attempting to map to a group?
↧