https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500558#M139362 <P>This should work.</P> <PRE><CODE>| inputlookup hostnames.csv | fields hostname ip | eval ip = split(ip,"|") | mvexpand ip ... </CODE></PRE> Tue, 04 Feb 2020 14:39:55 GMT richgalloway 2020-02-04T14:39:55Z https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500557#M139361 <P>So I have a string of IPs that are input and trying to figure out how to add the location on them which are stated in a csv.</P> <P>the input string varies and could looks like for example like this for each host:</P> <P><STRONG>ip=1.1.1.1<BR /> ip=1.1.1.2|1.2.3.4<BR /> ip=1.1.1.5|1.4.4.6|1.2.4.6</STRONG></P> <P>meaning each could either have one ip or more, some of these ips are in the location csv some not</P> <P>so my table from the begining have these values and other empty fields that will be filled later,<BR /> *<EM>hostname, ip, location, owner *</EM></P> <P>The ones with information atm are hostname, ip, trying to add location with below, then add the other info after this code as its dependad on it:</P> <P>**<BR /> |inputlookup hostnames.csv <BR /> |table hostname ip<BR /> | eval ip = split(ip,"|") <BR /> | eval numIPs = mvcount(ip)<BR /> | eval iVal = mvrange(0,numIPs,1)<BR /> .<BR /> .<BR /> .<BR /> ...missing...code...<BR /> .<BR /> .<BR /> .<BR /> | lookup location_info ip_prefix AS ip OUTPUT location<BR /> |table hostname ip location owner<BR /> | eval location = if(location="NONE" OR location="Unknown", "Unkown", location)<BR /> | streamstats count<BR /> | mvexpand location<BR /> | dedup count location<BR /> | mvcombine location<BR /> | fields - count<BR /> | lookup owners.csv location OUTPUT owner<BR /> | table hostname ip location owner**</P> <P>when there is 1 ip in the string, this works, but if there is more I have no clue at all how to solve it. I've tried mvexpand, mvcombine, foreach, with no luck or I'm using them wrongly.</P> <P>can someone share some insight in this?</P> Wed, 30 Sep 2020 04:00:00 GMT https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500557#M139361 khaghsam 2020-09-30T04:00:00Z https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500558#M139362 <P>This should work.</P> <PRE><CODE>| inputlookup hostnames.csv | fields hostname ip | eval ip = split(ip,"|") | mvexpand ip ... </CODE></PRE> Tue, 04 Feb 2020 14:39:55 GMT https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500558#M139362 richgalloway 2020-02-04T14:39:55Z https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500559#M139363 <P>| inputlookup hostnames.csv<BR /> | fields hostname ip<BR /> | eval ip = split(ip,"|")<BR /> | mvexpand ip<BR /> | lookup location_info ip_prefix AS ip OUTPUT location</P> <P>Works but the combine part becomes an issue then.<BR /> So the output of above becomes:</P> <P>hostname1 1.1.1.1 location1<BR /><BR /> hostname1 2.2.2.2 unknown<BR /> hostname1 3.3.3.3 location2</P> <P>depending on how many local/virtual ips the host has.</P> Wed, 30 Sep 2020 04:00:34 GMT https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500559#M139363 khaghsam 2020-09-30T04:00:34Z https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500560#M139364 <P>What is the desired output?</P> Wed, 05 Feb 2020 13:45:00 GMT https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500560#M139364 richgalloway 2020-02-05T13:45:00Z https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500561#M139365 <P>Something like this:</P> <P><IMG src="https://drive.google.com/open?id=1D5zo70owEnr5teSrWnkfSEU1uZBv6hdf" alt="alt text" /></P> <P><A href="https://drive.google.com/open?id=1D5zo70owEnr5teSrWnkfSEU1uZBv6hdf">https://drive.google.com/open?id=1D5zo70owEnr5teSrWnkfSEU1uZBv6hdf</A></P> <P>Now the location field's duplicates need to be removed in case there are, same with owner. (so I guess only unique values)</P> Wed, 05 Feb 2020 13:58:41 GMT https://community.splunk.com/t5/Splunk-Search/Add-location-to-IPs-found-in-lookup-or-add-unknown-if-missing/m-p/500561#M139365 khaghsam 2020-02-05T13:58:41Z