Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to use a lookup to compare multiple fields

dsmith1988
Engager
‎08-15-2019 12:24 PM

I am trying to run a search from amazon.

index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"

When we assign tags via AWS, each tag is shown as a field.

Example tags, Name would be the field and the value would be the friendly name we assign to the server.

We require our engineers to apply 8 specific tags. I am trying to use a lookup table to compare with my search and return only the instances that are missing one of the 8 tags.

The CSV is tags.csv the field in the CSV is development_ec2.

0 Karma
Reply

nareshinsvu
Builder
‎08-15-2019 11:25 PM 
 index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"  | lookup  tags.csv development_ec2 as  field | where isnull(server)
0 Karma
Reply

dsmith1988
Engager
‎08-21-2019 08:04 AM

I am still having problems with this search. The above, still returns every instance, not just the ones that are missing tags. Server isnt a field name that AWS add on returns. I am not sure which field to leverage to make this work. I tried several and there was either no results are all servers returned. Apologies as I am very new to SPL and trying to absorb a lot of information quickly.

Thanks!~

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...