All Apps and Add-ons

Set empty values of dnslookup with "N/A" in multivalue field

igschloessl
Explorer

I have a search where I lookup the hostname for an IP address. I want to set the empty hostname with N/A so I can see in the values which src splunk wasnt able to lookup.

My search is the following
index=http
| stats values(dest) as dest values(src) as src by domain
| lookup dnslookup clientip as src OUTPUTNEW clienthost as src_host
| fillnull src_host value="N/A"

this works if there is just one src and one src_host in the line, but if there are multiple src and src_host and one src_host cant be looked up, it just writes the found src_hosts under themselves and you cannot map the src_host to the related src.

now it looks like this: (................. stands for empty

src | src_host | dest | domain


10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 |..................|..............|.................


10.0.0.11 | hostxy21 | 9..9.9.9 | example.com
10.0.0.21 | ................| ............ |.................


should look like this

src | src_host | dest | domain


10.0.0.2 | hostxy2 | 8.8.8.8 | google.com
10.0.0.7 | N/A |............. |.................


10.0.0.11 |N/A | 9.9.9.9 | example.com
10.0.0.21 | hostxy21 | ........... |.................


Can anyone help?

0 Karma

to4kawa
Ultra Champion
...
| stats values(dest) as dest values(src) as src by domain
| mvexpand src
...
0 Karma

igschloessl
Explorer

this only deltes my values() command. But i want the values.. should look like something like this

src | src_host | dest | domain


10.0.0.2 | hostxy1 | 8.8.8.8 | google.com
10.0.0.7 | N/A | |


10.0.0.11 |N/A | 8.8.8.8 | example.com
10.0.0.21 | hostxy21 | 9.9.9.9 |


0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...