- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to add the field name via command in a lookup ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Community Support,
I have a lookup file with IP addresses where all the values are IP Addresses including the very first field and its keep changing.
Dummy Example:
192.168.10.10
192.168.10.11
192.168.10.12
Because the very first field value itself is an IP address so I want to add a field value into this lookup via Splunk search so that my lookup will show like below:
ip_address
192.168.10.10
192.168.10.11
192.168.10.12
Kindly suggest how to achieve these results. Many Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to agree with Rich, the Lookup Editor is definitely the simplest way to do it.
The second best way would be to download the lookup, make your change in a text editor/spreadsheet editor and re-upload.
If you must use search try something like this:
| inputlookup lookup.csv
| fieldsummary
| table field
| rename field as ip_address
| append
[ inputlookup lookup.csv
| rename 192.* as ip_address]
| outputlookup lookup.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IMO, the best option is to use the Lookup File Editor app to modify the file.
If that's not possible, try this untested query.
| makeresults
| eval ip_address="ip_address"
| inputlookup mylookupfile.csv append=true
| rename 192* as ip_address
| outputlookup mynewlookupfile.csvNote the use of two different CSV file names in case the results are not as expected.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You want to have the column title as a value in the lookup ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes after change the current column title will be the value and new coloum title will be ip_address.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to agree with Rich, the Lookup Editor is definitely the simplest way to do it.
The second best way would be to download the lookup, make your change in a text editor/spreadsheet editor and re-upload.
If you must use search try something like this:
| inputlookup lookup.csv
| fieldsummary
| table field
| rename field as ip_address
| append
[ inputlookup lookup.csv
| rename 192.* as ip_address]
| outputlookup lookup.csv
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
