Splunk Search

Using a lookup to filter sourcetype

Mattjj
Explorer

Hi all,

I have a lookup instance_list, which I'm trying to use to filter my flow logs to only show the logs with the sourcetype as one of the instances I'm interested in, so:

index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | format] | ......

There are 3-6 instances that match the search="*dc*" - running the inputlookup section on its own produces the correct list.  Unfortunately I get no results, and applying the instance names to each log then filtering results in a really slow search.

Any pointers are really welcome!

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | fields sourcetype ] | ......

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | fields sourcetype ] | ......

Mattjj
Explorer

Works perfectly, thanks!

0 Karma
Get Updates on the Splunk Community!

3 Ways to Make OpenTelemetry Even Better

My role as an Observability Specialist at Splunk provides me with the opportunity to work with customers of ...

What's New in Splunk Cloud Platform 9.2.2406?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2406 with many ...

Enterprise Security Content Update (ESCU) | New Releases

In August, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...