Re: Set empty values of dnslookup with "N/A" in mu...

igschloessl · ‎04-30-2020

I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup.

My search is the following
index=http
| stats values(dest) as dest values(src) as src by domain
| lookup dnslookup clientip as src OUTPUTNEW clienthost as src_host
| fillnull src_host value="N/A"

this works if there is just one src and one src_host in the line, but if there are multiple src and src_host and one src_host cant be looked up, it just writes the found src_hosts under themselves and you cannot map the src_host to the related src.

now it looks like this: (................. stands for empty

src | src_host | dest | domain

10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 |..................|..............|.................

10.0.0.11 | hostxy21 | 9..9.9.9 | example.com
10.0.0.21 | ................| ............ |.................

should look like this

src | src_host | dest | domain

10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 | N/A |............. |.................

10.0.0.11 |N/A | 9.9.9.9 | example.com
10.0.0.21 | hostxy21 | ........... |.................

Can anyone help?

to4kawa · ‎04-30-2020

...
| stats values(dest) as dest values(src) as src by domain
| mvexpand src
...

igschloessl · ‎04-30-2020

this only deltes my values() command. But i want the values.. should look like something like this

src | src_host | dest | domain

10.0.0.2 | hostxy1 | 8.8.8.8 | google.com
10.0.0.7 | N/A | |

10.0.0.11 |N/A | 8.8.8.8 | example.com
10.0.0.21 | hostxy21 | 9.9.9.9 |

Set empty values of dnslookup with "N/A" in multivalue field

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life