How to get a comma separated List

brownt61 — Tue, 30 Jun 2020 14:03:11 GMT

Hello all,

I am hoping for help creating a comma separated list. I have tried multiple different things and all have resulted in lists, but never quite what I am needing.

I have a list of email addresses, that I need to be listed out, comma separated so that I can automate a currently manual process of updating a DLP policy.

The list would appear as follows

input data:

Email
email1@email.com

email2@email.com

email3@email.com

email4@email.com

email5@email.com

...

email1124@email.com

email1125@email.com

The output list that I need comma separated needs to be displayed as follows

EmailAddress

email1@email.com,

email2@email.com,

email3@email.com,

email4@email.com,

email5@email.com,

...

email1124@email.com,

email1125@email.com

note that the list is comma separated however the final entry does not get a comma. This is because Symantec DLP reconizes the comma separator as an expected new entry. If there is no comma, the final entry is expected as the last entry.

I have tied stats list (this worked) however, it limits the output to 100 (I have around 1500 email addresses). I know that I could have the limits.conf increased from 100, but I would like to avoid this just do accomplish this one task.

I have also tried to string the fields to string the , however it places the comma at the end of the final value in the list.
| eval EmailAddress=Email+","
| table EmailAddress

I have also tried mvjoin which just creates a giant mv field, which would be ok, expect some of the email addresses have a - in them, which then line breaks resulting in the .csv file being sent out break and have emails not formatted correctly.

I have also tried delim with a dc and values, however it also just creates a giant mv list with commas at the end of all values including the end value.

| stats delim="," dc(Email) as EmailAddressCount, values(Email) as EmailAddress
| nomv EmailAddress
| table EmailAddress

Is there a way to create the comma separated list as requested? or is there an easier way to remove the trailing character from the LAST value?

Thank you

Re: How to get a comma separated List

mthomas_splunk — Tue, 30 Jun 2020 16:35:16 GMT

To generate the source data, I used:

| makeresults count=1500 | streamstats count | eval email="email"+count+"@email.com" | fields - _time, count

then to combine it, it used:

| mvcombine email delim="," | nomv email

Which results in:

email1@email.com,email2@email.com,email3@email.com,email4@email.com,email5@email.com,email6@email.com,emai....

Alternatively, you can use the following to leave the email addresses in separate events:

which results in:

email1@email.com, email2@email.com, email3@email.com, email4@email.com, ... email1499@email.com, email1500@email.com

Hopefully one of those does what you're after?

Re: How to get a comma separated List

brownt61 — Tue, 30 Jun 2020 17:28:55 GMT

This is exactly what I needed. Thank you

topic Re: How to get a comma separated List in Splunk Search

How to get a comma separated List

Re: How to get a comma separated List

Re: How to get a comma separated List