Creating a lookup from comma separated data...

Steve_Litras · ‎01-09-2014

I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something like:

asset_group_id=1376498 asset_group_title="San Francisco Assets" scanips=10.10.1.2,10.10.1.3,10.10.5.2

I'd like to process that data and use outputlookup to create a lookup table that would be something like

ip,asset_group

10.10.1.2,San Francisco Assets

10.10.1.3,San Francisco Assets

10.10.5.2,San Francisco Assets

I'd like to do this all within splunk, but can't figure out how. Any thoughts?

Thanks
Steve

somesoni2 · ‎01-09-2014

I am assuming the sample event your posted is already indexed and when searched, you are able to get fields asset_group_title and scanips.

query to select your event | fields asset_group_title, scanips | rename asset_group_title as asset_group, scanips as ip | eval ip=split(ip,",") | mvexpand ip | outputlookup yourlookupfilename

Creating a lookup from comma separated data...

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation

Creating a lookup from comma separated data...

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform