Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Time field not reflecting along with the inputlookup query

Prashant
Explorer
‎09-18-2024 03:03 AM

Hi Team,

I am using below query to get the DNS lookup query, everything is fine but I am not getting the time field aligned with my inputlookup query. If I remove the inputlookup and use the individual domain name then it works fine. however I would like to have the time as well along with my inputlookup data.

 

| makeresults
| inputlookup append=t dns.csv
| dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52"
| eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable")
| eval DateTime=strftime(_time,"%a %B %d %Y %H:%M:%S")
| table DateTime domain dns_response dns_error Status

 

Result is showing as - 

DateTime domain dns_response dns_error Status

Wed September 18 2024 11:57:19   Reachable
 ns1.vodacombusiness.co.za41.0.1.10 Reachable
 ns2.vodacombusiness.co.za41.0.193.10 Reachable
 ns3.vodacombusiness.co.za-Could not execute DNS query: A -> ns3.vodacombusiness.co.za. Error: None of DNS query names exist: ns3.vodacombusiness.co.za., ns3.vodacombusiness.co.za.UnReachable
Labels (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 03:10 AM

Hi @Prashant ,

from the inputlookup you don't have a timestamp _time.

If you want the now() timestamp you can try in this way:

| inputlookup dns.csv
| dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52"
| eval DateTine=strftime(now(),"%a %B %d %Y %H:%M:%S")
| eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable")
| table DateTime domain dns_response dns_error Status

 Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

Prashant
Explorer
‎09-18-2024 03:13 AM

Hi @gcusello - Ah got it. Thank you so much.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 03:32 AM

Hi @Prashant ,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎09-18-2024 03:10 AM

Hi @Prashant ,

from the inputlookup you don't have a timestamp _time.

If you want the now() timestamp you can try in this way:

| inputlookup dns.csv
| dnsquery domainfield=domain qtype="A" answerfield="dns_response" nss="10.102.204.52"
| eval DateTine=strftime(now(),"%a %B %d %Y %H:%M:%S")
| eval Status = case(isnotnull(dns_error), "UnReachable",1=1 , "Reachable")
| table DateTime domain dns_response dns_error Status

 Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...