Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Creating a lookup from comma separated data...

Steve_Litras
Path Finder
‎01-09-2014 03:07 PM

I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something like:

asset_group_id=1376498 asset_group_title="San Francisco Assets" scanips=10.10.1.2,10.10.1.3,10.10.5.2

I'd like to process that data and use outputlookup to create a lookup table that would be something like

ip,asset_group

10.10.1.2,San Francisco Assets

10.10.1.3,San Francisco Assets

10.10.5.2,San Francisco Assets

I'd like to do this all within splunk, but can't figure out how. Any thoughts?

Thanks
Steve

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-09-2014 07:52 PM

I am assuming the sample event your posted is already indexed and when searched, you are able to get fields asset_group_title and scanips. 

query to select your event | fields asset_group_title, scanips | rename asset_group_title as asset_group, scanips as ip | eval ip=split(ip,",") | mvexpand ip | outputlookup yourlookupfilename
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...