Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use a lookup to compare multiple fields

dsmith1988
Engager
‎08-15-2019 12:24 PM

I am trying to run a search from amazon.

index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"

When we assign tags via AWS, each tag is shown as a field.

Example tags, Name would be the field and the value would be the friendly name we assign to the server.

We require our engineers to apply 8 specific tags. I am trying to use a lookup table to compare with my search and return only the instances that are missing one of the 8 tags.

The CSV is tags.csv the field in the CSV is development_ec2.

0 Karma
Reply

nareshinsvu
Builder
‎08-15-2019 11:25 PM 
 index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"  | lookup  tags.csv development_ec2 as  field | where isnull(server)
0 Karma
Reply

dsmith1988
Engager
‎08-21-2019 08:04 AM

I am still having problems with this search. The above, still returns every instance, not just the ones that are missing tags. Server isnt a field name that AWS add on returns. I am not sure which field to leverage to make this work. I tried several and there was either no results are all servers returned. Apologies as I am very new to SPL and trying to absorb a lot of information quickly.

Thanks!~

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...