I'm trying to do some work with qualys data. There are events that describe "asset groups", with a bunch of fields, one of which is "scanips", which is a comma separated list of IP addresses. something like:
asset_group_id=1376498 asset_group_title="San Francisco Assets" scanips=10.10.1.2,10.10.1.3,10.10.5.2
I'd like to process that data and use outputlookup to create a lookup table that would be something like
ip,asset_group
10.10.1.2,San Francisco Assets
10.10.1.3,San Francisco Assets
10.10.5.2,San Francisco Assets
I'd like to do this all within splunk, but can't figure out how. Any thoughts?
Thanks Steve