Hi lguinn, I have been working with your answer on and off today and it is a good start and has got me thinking. The answer seems to have a problem outputting host as hostname if I set $srcinput as a DNS name. I may have interpreted your answer incorrectly as I can't see why the "where" command is needed or why. I am currently building the query in Search as I can't get the App to use external_lookup.py (I think I need to restart Splunk to accept the App changes, new transforms.conf etc). Do I need to do another search after the where once I have populated srcipToMatch? ... View more

Thanks lguinn (and somesoni2) that has indeed helped. I had to remove the filenull value="N/A" and change to "" then use replace to populate blank IP_PORT values in a table i added to the end of the query. ... View more