The external lookup used in this recipe is bundled with Splunk. When the script is called at search time, a lookup table is created in the memory to facilitate the passing back of content, just as if it had been read from a CSV file on the server. Multiple columns are in the table and can be mapped to in order to have the lookup enrich your data with the appropriate new field/values from the table. In this case, we passed the clientip to the script, the IP is looked up using DNS, and clienthost was returned.
External lookup commands provide a mechanism to look up data in real time. This is useful when a local lookup data table becomes too large or the data becomes stale too quickly. As external lookups are just scripts, they ...