Splunk Search

How to add the field name via command in a lookup file?

joomla
Engager

Hi Community Support,

I have a lookup file with IP addresses where all the values are IP Addresses including the very first field and its keep changing.

Dummy Example:

192.168.10.10

192.168.10.11

192.168.10.12

Because the very first field value itself is an IP address so I want to add a field value into this lookup via Splunk search so that my lookup will show like below:

ip_address

192.168.10.10

192.168.10.11

192.168.10.12

Kindly suggest how to achieve these results. Many Thanks.

Labels (1)
0 Karma
1 Solution

andrew_nelson
Communicator

I have to agree with Rich, the Lookup Editor is definitely the simplest way to do it. 
The second best way would be to download the lookup, make your change in a text editor/spreadsheet editor and re-upload.

 

If you must use search try something like this:

| inputlookup lookup.csv
| fieldsummary
| table field
| rename field as ip_address
| append
[ inputlookup lookup.csv
| rename 192.* as ip_address]
| outputlookup lookup.csv

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

IMO, the best option is to use the Lookup File Editor app to modify the file.

If that's not possible, try this untested query.

| makeresults 
| eval ip_address="ip_address"
| inputlookup mylookupfile.csv append=true
| rename 192* as ip_address
| outputlookup mynewlookupfile.csv

Note the use of two different CSV file names in case the results  are not as expected.

---
If this reply helps you, Karma would be appreciated.
0 Karma

andrew_nelson
Communicator

You want to have the column title as a value in the lookup ?

0 Karma

joomla
Engager

Yes after change the current column title will be the value and new coloum title will be ip_address.

0 Karma

andrew_nelson
Communicator

I have to agree with Rich, the Lookup Editor is definitely the simplest way to do it. 
The second best way would be to download the lookup, make your change in a text editor/spreadsheet editor and re-upload.

 

If you must use search try something like this:

| inputlookup lookup.csv
| fieldsummary
| table field
| rename field as ip_address
| append
[ inputlookup lookup.csv
| rename 192.* as ip_address]
| outputlookup lookup.csv

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...