I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup.
My search is the following
| stats values(dest) as dest values(src) as src by domain
| lookup dnslookup clientip as src OUTPUTNEW clienthost as src_host
| fillnull src_host value="N/A"
this works if there is just one src and one src_host in the line, but if there are multiple src and src_host and one src_host cant be looked up, it just writes the found src_hosts under themselves and you cannot map the src_host to the related src.
now it looks like this: (................. stands for empty