Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Input lookup a value in a list of items

JohnGilmour
New Member
‎11-05-2019 02:54 AM

Hello All,

I have a file below which contains a list of Servers and which Group they belong time:

Server, Environment, Groups
Server 1, Production, Group 1
Server 2, Production, Group 2
Server 3, Corporate, Group 2
....
Server 50, Web, Group 3 
Server 51, Web, Group 4
Server 52, Production, Group 2

My index contains a string of Groups (many of which are irrelevant), in a field called TAGS. My question is how do I go about giving all the data in the MASTER index, where the TAGS Field contains a match in the inputlookup?

    Index = Master: TAGS Example "Group 1, XX, Europe, YYY, ZZ, PPPPPPPP, ABCD"

I have treid the below neither of which return results.

| inputlookup server_asset_groups where Environment = "Web" OR Environment = "Production" 
| dedup Groups
| table Groups
| join Groups
    [search index=MASTER | dedup HOST_ID sortby | eval Groups= split(TAGS,",") ]    
|  table AssetGroup TAGS


index=MASTER
| dedup HOST_ID sortby +_time 
| eval Groups= split(TAGS,",") 
| join Groups
[| inputlookup server_asset_groups where Environment = "Web" OR Environment = "Production" | return Groups]
Tags (2)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-05-2019 04:05 AM

Hi JohnGilmour,
you should divide your tags and use them to search, something like this:

index=MASTER
| makemv TAGS
| mvexpand TAGS
| lookup server_asset_groups Groups AS TAGS OUTPUT Server Environment
| search Server=*
| dedup Server Environment Groups
| sort Groups Server
| table Server Environment Groups

Ciao.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...