Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time field not reflecting along with the inputlookup query

Prashant
Explorer
‎09-18-2024 03:03 AM

Hi Team,

I am using below query to get the DNS lookup query, everything is fine but I am not getting the time field aligned with my inputlookup query. If I remove the inputlookup and use the individual domain name then it works fine. however I would like to have the time as well along with my inputlookup data.

 

| makeresults
| inputlookup append=t dns.csv
| dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52"
| eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable")
| eval DateTime=strftime(_time,"%a %B %d %Y %H:%M:%S")
| table DateTime domain dns_response dns_error Status

 

Result is showing as - 

DateTime domain dns_response dns_error Status

Wed September 18 2024 11:57:19   Reachable
 ns1.vodacombusiness.co.za41.0.1.10 Reachable
 ns2.vodacombusiness.co.za41.0.193.10 Reachable
 ns3.vodacombusiness.co.za-Could not execute DNS query: A -> ns3.vodacombusiness.co.za. Error: None of DNS query names exist: ns3.vodacombusiness.co.za., ns3.vodacombusiness.co.za.UnReachable
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 03:10 AM

Hi @Prashant ,

from the inputlookup you don't have a timestamp _time.

If you want the now() timestamp you can try in this way:

| inputlookup dns.csv
| dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52"
| eval DateTine=strftime(now(),"%a %B %d %Y %H:%M:%S")
| eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable")
| table DateTime domain dns_response dns_error Status

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Prashant
Explorer
‎09-18-2024 03:13 AM

Hi @gcusello - Ah got it. Thank you so much.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 03:32 AM

Hi @Prashant ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 03:10 AM

Hi @Prashant ,

from the inputlookup you don't have a timestamp _time.

If you want the now() timestamp you can try in this way:

| inputlookup dns.csv
| dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52"
| eval DateTine=strftime(now(),"%a %B %d %Y %H:%M:%S")
| eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable")
| table DateTime domain dns_response dns_error Status

 Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...