Resolves hostnames using reverse DNS lookups.
|Specifies the field into which the resolved value is stored.
|Specifies the field to run the RDNS lookup against.
|Specifies a DNS server address.
[a] Optional parameters use their default value unless explicitly set
Omitted Argument Names
The argument name for
fieldcan be omitted; the following forms of this function are equivalent:logscale
If a lookup fails, it will keep the event but not add the given field.
For self-hosted customers, the number of resulting events from this
function is limited by the configuration parameter
MAX_STATE_LIMIT, whose default limit is 20000. If the
number of events exceeds this limit, the result will be truncated with a
To prevent the rdns function from blocking query execution for an
indeterminate amount of time, a timeout is applied to all RDNS requests.
If an RDNS request doesn't return a result within the timeout, the lookup
is considered to have failed for the associated event. However, if the
request eventually returns, its result is added to an internal cache
within LogScale for a period of time. Therefore, a static query using the
rdns function may fail a lookup for an event on its
first execution, but succeed in a subsequent execution. In live queries
this behaviour is less of a problem, as the
function will be evaluated continually. Thus, it is preferable to mainly
rdns function in live queries.
Reverse DNS can generally not be considered authoritative and should only be considered informational. The owner of an IP address can change it to point to an arbitrary hostname.
For an authoritative alternative without the above limitations, consider
If no RDNS server is specified then a system default is used. This can be
server to select a different default
For self-hosted customers, the allowed IP addresses and servers that can be queried can be restricted by setting:
Resolve ipAddress (if present) using the server 22.214.171.124, and store the resulting DNS name in dnsName
rdns(ipAddress, server="126.96.36.199", as=dnsName)
Resolve ipAddress (if present) and store the resulting DNS name in hostname