Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to use a lookup to compare multiple fields

dsmith1988
Engager
‎08-15-2019 12:24 PM

I am trying to run a search from amazon.

index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"

When we assign tags via AWS, each tag is shown as a field.

Example tags, Name would be the field and the value would be the friendly name we assign to the server.

We require our engineers to apply 8 specific tags. I am trying to use a lookup table to compare with my search and return only the instances that are missing one of the 8 tags.

The CSV is tags.csv the field in the CSV is development_ec2.

0 Karma
Reply

nareshinsvu
Builder
‎08-15-2019 11:25 PM 
 index=amazon-aws sourcetype="aws:description" source="*:ec2_instances"  | lookup  tags.csv development_ec2 as  field | where isnull(server)
0 Karma
Reply

dsmith1988
Engager
‎08-21-2019 08:04 AM

I am still having problems with this search. The above, still returns every instance, not just the ones that are missing tags. Server isnt a field name that AWS add on returns. I am not sure which field to leverage to make this work. I tried several and there was either no results are all servers returned. Apologies as I am very new to SPL and trying to absorb a lot of information quickly.

Thanks!~

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...