Hello !
The lookup is generated by the saved search "Identity - Asset CIDR Matches - Lookup Gen"
| `asset_sources` | `make_assets_cidr` | outputlookup output_format=splunk_mv_csv asset_lookup_by_cidr | stats count
The main issue you will get is that the saved search will overide qny content of asset_lookup_by_cidr (because there is no append=t in the query)
If you want to know exactly the format of the csv I think the best option you got is to hqve a look at "make_assets" macro which is
fillnull value="false" `extra_asset_fields` | `split_mv_asset_fields` | `gen_asset_id(asset_id)` | dedup asset_id | where isnotnull(asset_id) | expandiprange ip | `ubi_rewrite_ips` | eval `pci_category_meval(category)`, `pci_domain_meval(pci_domain, category)`, `tag_assets_meval` | `generate_asset_key` | fields `asset_key_field`,`asset_fields`
The what you are looking for is *| fields asset_key_field , asset_fields *
You will get the following after resolve all macros :
key, ip, mac,nt_host,dns, owner,priority,lat,long,city,country,bunit,category,pci_domain, is_expected, should_timesync, should_update, requires_av
the key field is the following : key=sha1(strcat( ip,mac,nt_host,dns))
Thanks to the doc(link text) you will hqve the correct format for each field.
... View more