Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Creating a lookup from comma separated data...

Steve_Litras
Path Finder
‎01-09-2014 03:07 PM

I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something like:

asset_group_id=1376498 asset_group_title="San Francisco Assets" scanips=10.10.1.2,10.10.1.3,10.10.5.2

I'd like to process that data and use outputlookup to create a lookup table that would be something like

ip,asset_group

10.10.1.2,San Francisco Assets

10.10.1.3,San Francisco Assets

10.10.5.2,San Francisco Assets

I'd like to do this all within splunk, but can't figure out how. Any thoughts?

Thanks
Steve

Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎01-09-2014 07:52 PM

I am assuming the sample event your posted is already indexed and when searched, you are able to get fields asset_group_title and scanips. 

query to select your event | fields asset_group_title, scanips | rename asset_group_title as asset_group, scanips as ip | eval ip=split(ip,",") | mvexpand ip | outputlookup yourlookupfilename
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...
Top