Splunk Search

How to add the field name via command in a lookup file?

joomla
Engager

Hi Community Support,

I have a lookup file with IP addresses where all the values are IP Addresses including the very first field and its keep changing.

Dummy Example:

192.168.10.10

192.168.10.11

192.168.10.12

Because the very first field value itself is an IP address so I want to add a field value into this lookup via Splunk search so that my lookup will show like below:

ip_address

192.168.10.10

192.168.10.11

192.168.10.12

Kindly suggest how to achieve these results. Many Thanks.

Labels (1)
0 Karma
1 Solution

andrew_nelson
Communicator

I have to agree with Rich, the Lookup Editor is definitely the simplest way to do it. 
The second best way would be to download the lookup, make your change in a text editor/spreadsheet editor and re-upload.

 

If you must use search try something like this:

| inputlookup lookup.csv
| fieldsummary
| table field
| rename field as ip_address
| append
[ inputlookup lookup.csv
| rename 192.* as ip_address]
| outputlookup lookup.csv

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

IMO, the best option is to use the Lookup File Editor app to modify the file.

If that's not possible, try this untested query.

| makeresults 
| eval ip_address="ip_address"
| inputlookup mylookupfile.csv append=true
| rename 192* as ip_address
| outputlookup mynewlookupfile.csv

Note the use of two different CSV file names in case the results  are not as expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma

andrew_nelson
Communicator

You want to have the column title as a value in the lookup ?

0 Karma

joomla
Engager

Yes after change the current column title will be the value and new coloum title will be ip_address.

0 Karma

andrew_nelson
Communicator

I have to agree with Rich, the Lookup Editor is definitely the simplest way to do it. 
The second best way would be to download the lookup, make your change in a text editor/spreadsheet editor and re-upload.

 

If you must use search try something like this:

| inputlookup lookup.csv
| fieldsummary
| table field
| rename field as ip_address
| append
[ inputlookup lookup.csv
| rename 192.* as ip_address]
| outputlookup lookup.csv

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...