I'm trying to report on successful login activity to S/FTP server via the following:
host="my-ftp-server" sc_status="250" OR sc_status="331" | lookup dnslookup clientip as c_ip output clienthost as hostname | top cs_username,c_ip,hostname,sc_status limit="1000"
Problem: if the dnslookup fails, then Splunk does not include in the results. In other words, for the above query, if "hostname" is null, then the result isn't included in the displayed results - how do I tell splunk to include these? I don't want to exclude just because the dns lookup failed. It seems to display just fine for logins coming from hosts for which I can do a successful nslookup from my splunk box.
Anyone run across this problem or have any ideas?
... View more