Splunk Enterprise Security

If there is no match in lookup table, return default value in results

tromero3
Path Finder

I have a lookup table with domain names and corresponding IP address. In my events, the results show the IP, so I added the lookup to my query so that it looks at the IP and if there is a match to replace it with the corresponding domain name. It is working, however for the IPs where there is no corresponding domain name match in the lookup table , it is showing those fields as blanks in my result. How can I make it show the default IP value that would have been there before the lookup was added?

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest

Thank you!

0 Karma
1 Solution

rmmiller
Contributor

I would change your output field name to something temporary, use eval/coalesce, then drop the temporary field.
Something like this should do the trick:

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest_temp
| eval dest=coalesce(dest_temp,dest)
| fields - dest_temp

Only things in your lookup file will have a non-null value for dest_temp, which coalesce will stuff into the dest field. For anything not in your lookup file, dest will be set back to itself.

Hope that helps!
rmmiller

View solution in original post

rmmiller
Contributor

I would change your output field name to something temporary, use eval/coalesce, then drop the temporary field.
Something like this should do the trick:

| lookup ExtIPtoDNS Internal_IP as dest OUTPUT Domain as dest_temp
| eval dest=coalesce(dest_temp,dest)
| fields - dest_temp

Only things in your lookup file will have a non-null value for dest_temp, which coalesce will stuff into the dest field. For anything not in your lookup file, dest will be set back to itself.

Hope that helps!
rmmiller

View solution in original post

tromero3
Path Finder

That worked! Thank you so much!! 🙂

0 Karma

rmmiller
Contributor

Great! Happy to help!

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!