Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Creating a lookup from comma separated data...

Steve_Litras
Path Finder
‎01-09-2014 03:07 PM

I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something like:

asset_group_id=1376498 asset_group_title="San Francisco Assets" scanips=10.10.1.2,10.10.1.3,10.10.5.2

I'd like to process that data and use outputlookup to create a lookup table that would be something like

ip,asset_group

10.10.1.2,San Francisco Assets

10.10.1.3,San Francisco Assets

10.10.5.2,San Francisco Assets

I'd like to do this all within splunk, but can't figure out how. Any thoughts?

Thanks
Steve

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-09-2014 07:52 PM

I am assuming the sample event your posted is already indexed and when searched, you are able to get fields asset_group_title and scanips. 

query to select your event | fields asset_group_title, scanips | rename asset_group_title as asset_group, scanips as ip | eval ip=split(ip,",") | mvexpand ip | outputlookup yourlookupfilename
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...