Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Creating a lookup from comma separated data...

Steve_Litras
Path Finder
‎01-09-2014 03:07 PM

I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something like:

asset_group_id=1376498 asset_group_title="San Francisco Assets" scanips=10.10.1.2,10.10.1.3,10.10.5.2

I'd like to process that data and use outputlookup to create a lookup table that would be something like

ip,asset_group

10.10.1.2,San Francisco Assets

10.10.1.3,San Francisco Assets

10.10.5.2,San Francisco Assets

I'd like to do this all within splunk, but can't figure out how. Any thoughts?

Thanks
Steve

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-09-2014 07:52 PM

I am assuming the sample event your posted is already indexed and when searched, you are able to get fields asset_group_title and scanips. 

query to select your event | fields asset_group_title, scanips | rename asset_group_title as asset_group, scanips as ip | eval ip=split(ip,",") | mvexpand ip | outputlookup yourlookupfilename
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...