If Reverse DNS lookup fails, then results don't ge...

myeatman · ‎06-25-2010

I'm trying to report on successful login activity to S/FTP server via the following:

host="my-ftp-server" sc_status="250" OR sc_status="331" | lookup dnslookup clientip as c_ip output clienthost as hostname | top cs_username,c_ip,hostname,sc_status limit="1000"

Problem: if the dnslookup fails, then Splunk does not include in the results. In other words, for the above query, if "hostname" is null, then the result isn't included in the displayed results - how do I tell splunk to include these? I don't want to exclude just because the dns lookup failed. It seems to display just fine for logins coming from hosts for which I can do a successful nslookup from my splunk box.

Anyone run across this problem or have any ideas?

timdenholm · ‎05-11-2020

I had a similar use case to this, however I wanted to only use one field for both the client IP address and resolved hostname. I used eval with if and isnull to substitute the null values with the original client IP address value so that it's retained. Using fillnull as is commonly suggested would only substitute the null values with a predefined string.

`some kind of search`
| lookup dnslookup clientip as c_ip output clienthost as host_resolved
| eval hostname = if(isnull(host_resolved), host, host_resolved)
| stats count by hostname, user

myeatman · ‎06-25-2010

fillnull is my friend:

host="my-ftp-server" sc_status="250" OR sc_status="331" | lookup dnslookup clientip as c_ip output clienthost as hostname | fillnull value="No DNS Info" | top cs_username,c_ip,hostname,sc_status limit="1000"

If Reverse DNS lookup fails, then results don't get displayed - not what I intended!

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life