These docs are for Cribl Stream 4.1 and are no longer actively maintained.
See the latest version (4.14).
DNS Lookup
The DNS Lookup Function offers two operations useful in enriching security and other data:
- DNS lookups based on host name as text, resolving to A record (IP address) or to other record types. 
- Reverse DNS Lookup. (This duplicates the behavior of Cribl Stream’s prior Reverse DNS Function, which was deprecated as of v.2.4, and has been removed as of v.4.0.) 
To reduce DNS lookups and minimize latency, the DNS Lookup Function incorporates a configurable DNS cache (including resolved and unresolved lookups). If you need additional caching, consider enabling OS-level DNS caching on each Cribl Stream Worker that will execute this Function. (OS-level caching options include DNSMasq, nscd, systemd‑resolved, etc.)
Usage
Filter: Filter expression (JS) that selects data to feed through the Function. Defaults to true, meaning it evaluates all events.
Description: Simple description of this Function. Defaults to empty.
Final: If toggled to Yes, stops feeding data to the downstream Functions. Defaults to No.
DNS Lookup Fields Section
Lookup field name: Name of the field containing the domain to look up.
Resource record type: DNS record type (RR) to return. Defaults to A’ record.
Output field name: Lookup result(s) will be added to this field. Leave blank to overwrite the original field specified in Lookup field name.
Reverse DNS Lookup Field(s) Section
Lookup field name: Name of the field containing the IP address to look up.
If the field value is not in IPv4 or IPv6 format, the lookup is skipped.
Output field name: Name of the field in which to add the resolved hostname. Leave blank to overwrite the original field specified in Lookup field name.
Advanced Settings
DNS server(s) overrides: IP address(es), in RFC 5952 format, of the DNS server(s) to use for resolution. IPv4 examples: 1.1.1.1, 4.2.2.2:53. IPv6 examples: [2001:4860:4860::8888], [2001:4860:4860::8888]:1053. If this field is not specified, Cribl Stream will use the system’s DNS server.
Cache time to live (minutes): Determines the interval on which the DNS cache will expire, and its contents will be refetched. Defaults to 30 minutes. Use 0 to disable cache expiration/refresh behavior.
Maximum cache size: Maximum number of DNS resolutions to cache locally. Before changing the default 5000, consider the implications for your system. Higher values will increase memory usage. Highest allowed value is 100000.
Example
This example Pipeline chains two Functions. First, we have an Eval Function that defines key-value pairs for two alphabetical domain names and two numeric IP addresses.

Next, the DNS Lookup Function looks up several record types for the two domain names, placing each retrieved record type in its own output field.

Finally, the same Function’s Reverse DNS lookup section retrieves domain names for the two IP addresses.

Working with Multi-value Results
DNS records can contain single values mixed together with multi-value results. While this can be challenging to work with, the right code can adjust your results to the desired values.
In the screenshot below, the DNS lookup for google.com (event 1) returns a single record, while the cribl.cloud lookup (event 2) returns four addresses.

Sometimes a receiver is unable to consume the data in an array format. One solution to this problem is to pick the first result and convert it into a string. Here’s a JavaScript eval to do this:
Array.isArray(host) ? host[0] : host;This function checks whether the value of the host field is an array.
- If true, the result is the left side of the ternary expression – in this case, host[0], which is the first element in the array, converted into a string. See event 2 in the screenshot below.
- If false, the result is the single-value string in the hostfield. See event 1.

Another option is to randomly pick an address from the result. To do this, use a modified version of the JavaScript eval:
Array.isArray(host) ? host[Math.floor(Math.random() * host.length)] : hostHere, instead of picking the first element, the code uses Math.floor(Math.random() * host.length) to randomly pick an element from the array.