Splunk Search

Using a lookup to filter sourcetype

Mattjj
Explorer

Hi all,

I have a lookup instance_list, which I'm trying to use to filter my flow logs to only show the logs with the sourcetype as one of the instances I'm interested in, so:

index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | format] | ......

There are 3-6 instances that match the search="*dc*" - running the inputlookup section on its own produces the correct list.  Unfortunately I get no results, and applying the instance names to each log then filtering results in a really slow search.

Any pointers are really welcome!

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | fields sourcetype ] | ......

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | fields sourcetype ] | ......

Mattjj
Explorer

Works perfectly, thanks!

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...