Hi
I read http://www.splunk.com/base/Documentation/4.2.2/Knowledge/Addfieldsfromexternaldatasources and see my default transform.conf has
# Example external lookup
[dnslookup]
external_cmd = external_lookup.py clienthost clientip
fields_list = clienthost clientip
But when I try to use it I get "Error in 'lookup' command: Could not find all of the specified lookup fields in the lookup table."
I use: "Local User:" AND NOT DNS AND NOT close | rex field=_raw "User:s+(?<src>.):.s+->s+(?<dst>.*):" | top limit 20 dst | lookup dnslookup dst
The logfile entries look like:
Aug 25 23:00:22 Vigor: Local User: 192.168.1.8:50829 -> 22.58.244.67:80 (TCP)Web
Thank you Markus