As of today data models, like the Network Traffic data model, have fields for src, src_ip, dest and dest_ip, but not src_dns and dest_dns. The way I understand it, DNS names should then be used in the src and dest fields, and IPs in the fields src_ip and dest_ip.

Some logs don't have DNS names available in the log itself. However, if you have Splunk ES with a populated asset framework, it will automatically add the field src_dns and dest_dns to the events if the fields src and dest are already available.

If I want the fields src_dns and dest_dns from the events to be added to the src and dest fields in the data model, I would normally solve this by adding a coalesce for src in props.conf for the source type, but since lookups are applied after evals in the search time parsing, this is not possible when src_dns and dest_dns comes from a lookup, as in the case with Splunk ES.

Therefore I propose the following change to the data models themselves, for all datamodels that are using the src and dest fields:

Change the eval for src from

if(isnull(src) OR src="","unknown",src)

to

case((isnull(src_dns) OR src_dns="") AND (isnull(src) OR src=""),"unknown",NOT (isnull(src_dns) OR src_dns=""),src_dns,true(),dest)

and likewise change the eval for dest from

if(isnull(dest) OR dest="","unknown",dest)

to

case((isnull(dest_dns) OR dest_dns="") AND (isnull(dest) OR dest=""),"unknown",NOT (isnull(dest_dns) OR dest_dns=""),dest_dns,true(),dest)