Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

If there is no match in lookup table, return default value in results

tromero3
Path Finder
‎04-07-2020 03:37 PM

I have a lookup table with domain names and corresponding IP address. In my events, the results show the IP, so I added the lookup to my query so that it looks at the IP and if there is a match to replace it with the corresponding domain name. It is working, however for the IPs where there is no corresponding domain name match in the lookup table , it is showing those fields as blanks in my result. How can I make it show the default IP value that would have been there before the lookup was added?

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmmiller
Contributor
‎04-07-2020 07:40 PM

I would change your output field name to something temporary, use eval/coalesce, then drop the temporary field.
Something like this should do the trick:

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest_temp
| eval dest=coalesce(dest_temp,dest)
| fields - dest_temp

Only things in your lookup file will have a non-null value for dest_temp, which coalesce will stuff into the dest field. For anything not in your lookup file, dest will be set back to itself.

Hope that helps!
rmmiller

View solution in original post

Reply
Solved! Jump to solution
Solution

rmmiller
Contributor
‎04-07-2020 07:40 PM

I would change your output field name to something temporary, use eval/coalesce, then drop the temporary field.
Something like this should do the trick:

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest_temp
| eval dest=coalesce(dest_temp,dest)
| fields - dest_temp

Only things in your lookup file will have a non-null value for dest_temp, which coalesce will stuff into the dest field. For anything not in your lookup file, dest will be set back to itself.

Hope that helps!
rmmiller

Reply
Solved! Jump to solution

tromero3
Path Finder
‎04-07-2020 08:43 PM

That worked! Thank you so much!! 🙂

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎04-07-2020 09:44 PM

Great! Happy to help!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...