Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

If there is no match in lookup table, return default value in results

tromero3
Path Finder
‎04-07-2020 03:37 PM

I have a lookup table with domain names and corresponding IP address. In my events, the results show the IP, so I added the lookup to my query so that it looks at the IP and if there is a match to replace it with the corresponding domain name. It is working, however for the IPs where there is no corresponding domain name match in the lookup table , it is showing those fields as blanks in my result. How can I make it show the default IP value that would have been there before the lookup was added?

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest

Thank you!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmmiller
Contributor
‎04-07-2020 07:40 PM

I would change your output field name to something temporary, use eval/coalesce, then drop the temporary field.
Something like this should do the trick:

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest_temp
| eval dest=coalesce(dest_temp,dest)
| fields - dest_temp

Only things in your lookup file will have a non-null value for dest_temp, which coalesce will stuff into the dest field. For anything not in your lookup file, dest will be set back to itself.

Hope that helps!
rmmiller

View solution in original post

Reply
Solved! Jump to solution
Solution

rmmiller
Contributor
‎04-07-2020 07:40 PM

I would change your output field name to something temporary, use eval/coalesce, then drop the temporary field.
Something like this should do the trick:

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest_temp
| eval dest=coalesce(dest_temp,dest)
| fields - dest_temp

Only things in your lookup file will have a non-null value for dest_temp, which coalesce will stuff into the dest field. For anything not in your lookup file, dest will be set back to itself.

Hope that helps!
rmmiller

Reply
Solved! Jump to solution

tromero3
Path Finder
‎04-07-2020 08:43 PM

That worked! Thank you so much!! 🙂

0 Karma
Reply
Solved! Jump to solution

rmmiller
Contributor
‎04-07-2020 09:44 PM

Great! Happy to help!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...