How to use a lookup to compare multiple fields

dsmith1988 · ‎08-15-2019

I am trying to run a search from amazon.

index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"

When we assign tags via AWS, each tag is shown as a field.

Example tags, Name would be the field and the value would be the friendly name we assign to the server.

We require our engineers to apply 8 specific tags. I am trying to use a lookup table to compare with my search and return only the instances that are missing one of the 8 tags.

The CSV is tags.csv the field in the CSV is development_ec2.

nareshinsvu · ‎08-15-2019

 index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"  | lookup  tags.csv development_ec2 as  field | where isnull(server)

dsmith1988 · ‎08-21-2019

I am still having problems with this search. The above, still returns every instance, not just the ones that are missing tags. Server isnt a field name that AWS add on returns. I am not sure which field to leverage to make this work. I tried several and there was either no results are all servers returned. Apologies as I am very new to SPL and trying to absorb a lot of information quickly.

Thanks!~

How to use a lookup to compare multiple fields

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?