All Apps and Add-ons

Set empty values of dnslookup with "N/A" in multivalue field

igschloessl
Explorer

I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup.

My search is the following
index=http
| stats values(dest) as dest values(src) as src by domain
| lookup dnslookup clientip as src OUTPUTNEW clienthost as src_host
| fillnull src_host value="N/A"

this works if there is just one src and one src_host in the line, but if there are multiple src and src_host and one src_host cant be looked up, it just writes the found src_hosts under themselves and you cannot map the src_host to the related src.

now it looks like this: (................. stands for empty

src | src_host | dest | domain


10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 |..................|..............|.................


10.0.0.11 | hostxy21 | 9..9.9.9 | example.com
10.0.0.21 | ................| ............ |.................


should look like this

src | src_host | dest | domain


10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 | N/A |............. |.................


10.0.0.11 |N/A | 9.9.9.9 | example.com
10.0.0.21 | hostxy21 | ........... |.................


Can anyone help?

0 Karma

to4kawa
Ultra Champion
...
| stats values(dest) as dest values(src) as src by domain
| mvexpand src
...
0 Karma

igschloessl
Explorer

this only deltes my values() command. But i want the values.. should look like something like this

src | src_host | dest | domain


10.0.0.2 | hostxy1 | 8.8.8.8 | google.com
10.0.0.7 | N/A | |


10.0.0.11 |N/A | 8.8.8.8 | example.com
10.0.0.21 | hostxy21 | 9.9.9.9 |


0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...