All Apps and Add-ons

Set empty values of dnslookup with "N/A" in multivalue field

Explorer

I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup.

My search is the following
index=http
| stats values(dest) as dest values(src) as src by domain
| lookup dnslookup clientip as src OUTPUTNEW clienthost as src_host
| fillnull src_host value="N/A"

this works if there is just one src and one src_host in the line, but if there are multiple src and src_host and one src_host cant be looked up, it just writes the found src_hosts under themselves and you cannot map the src_host to the related src.

now it looks like this: (................. stands for empty

src | src_host | dest | domain


10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 |..................|..............|.................


10.0.0.11 | hostxy21 | 9..9.9.9 | example.com
10.0.0.21 | ................| ............ |.................


should look like this

src | src_host | dest | domain


10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 | N/A |............. |.................


10.0.0.11 |N/A | 9.9.9.9 | example.com
10.0.0.21 | hostxy21 | ........... |.................


Can anyone help?

0 Karma

SplunkTrust
SplunkTrust
...
| stats values(dest) as dest values(src) as src by domain
| mvexpand src
...
0 Karma

Explorer

this only deltes my values() command. But i want the values.. should look like something like this

src | src_host | dest | domain


10.0.0.2 | hostxy1 | 8.8.8.8 | google.com
10.0.0.7 | N/A | |


10.0.0.11 |N/A | 8.8.8.8 | example.com
10.0.0.21 | hostxy21 | 9.9.9.9 |


0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!