Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add associated domain to values of dest_ip

yoshileigh66
Explorer
‎02-29-2024 12:37 PM

I have a query that gets a list of destination ips per source ip. I also want to add a column for the associated domain name per destination ip. The query I have to get destination ips per source ip is: 

 

 

index=network | stats values(dest_ip) by src_ip

 

 

I am not wanting to use eval to combine the values of dest_ip and domain into one field, and I tried mvappend but I am unable to achieve the result I want. 

I tried |stats values(dest_ip) values(domain) by src_ip, but the dest_ip and domain columns appear to be independent of each other.

What I am looking for is below: 

src_ip domain_ips domain

I just need the domain name to be "connected" with the domain_ip

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:00 PM

Yes. That's how it works - values(whatever) creates just one so-called multivalued field with a list of possible values of given field. The fild is a "standalone being" - if you have two multivalued fields, they are not connected with each other in any way.

You need to either combine both values prior to statsing

| eval destipdomain =dest_ip.":"dest_domain
| stats values(destipdomain) by src_ip

Then if you need  you'll have to split the value by the colon character.

Alternative approach would be to stats by more fields.

| stats values(dest_domain) by src_ip dest_ip

 

View solution in original post

Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎02-29-2024 03:00 PM

Yes. That's how it works - values(whatever) creates just one so-called multivalued field with a list of possible values of given field. The fild is a "standalone being" - if you have two multivalued fields, they are not connected with each other in any way.

You need to either combine both values prior to statsing

| eval destipdomain =dest_ip.":"dest_domain
| stats values(destipdomain) by src_ip

Then if you need  you'll have to split the value by the colon character.

Alternative approach would be to stats by more fields.

| stats values(dest_domain) by src_ip dest_ip

 

Reply
Solved! Jump to solution

yoshileigh66
Explorer
‎03-01-2024 06:00 AM

Thank you so much. I will go forward with splitting on the colon. 

Also want to add that I appreciate when time is taken to explain the 'why' behind commands and why they act the way they do. It definitely helps me learn and retain information. Thanks again. 

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...