Splunk Search

Add associated domain to values of dest_ip

yoshileigh66
Explorer

I have a query that gets a list of destination ips per source ip. I also want to add a column for the associated domain name per destination ip. The query I have to get destination ips per source ip is: 

 

 

index=network | stats values(dest_ip) by src_ip

 

 

I am not wanting to use eval to combine the values of dest_ip and domain into one field, and I tried mvappend but I am unable to achieve the result I want. 

I tried |stats values(dest_ip) values(domain) by src_ip, but the dest_ip and domain columns appear to be independent of each other.

What I am looking for is below: 

src_ip domain_ips domain

I just need the domain name to be "connected" with the domain_ip

Labels (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

Yes. That's how it works - values(whatever) creates just one so-called multivalued field with a list of possible values of given field. The fild is a "standalone being" - if you have two multivalued fields, they are not connected with each other in any way.

You need to either combine both values prior to statsing

| eval destipdomain =dest_ip.":"dest_domain
| stats values(destipdomain) by src_ip

Then if you need  you'll have to split the value by the colon character.

Alternative approach would be to stats by more fields.

| stats values(dest_domain) by src_ip dest_ip

 

View solution in original post

PickleRick
SplunkTrust
SplunkTrust

Yes. That's how it works - values(whatever) creates just one so-called multivalued field with a list of possible values of given field. The fild is a "standalone being" - if you have two multivalued fields, they are not connected with each other in any way.

You need to either combine both values prior to statsing

| eval destipdomain =dest_ip.":"dest_domain
| stats values(destipdomain) by src_ip

Then if you need  you'll have to split the value by the colon character.

Alternative approach would be to stats by more fields.

| stats values(dest_domain) by src_ip dest_ip

 

yoshileigh66
Explorer

Thank you so much. I will go forward with splitting on the colon. 

Also want to add that I appreciate when time is taken to explain the 'why' behind commands and why they act the way they do. It definitely helps me learn and retain information. Thanks again. 

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...