Hi all,
I have a lookup instance_list, which I'm trying to use to filter my flow logs to only show the logs with the sourcetype as one of the instances I'm interested in, so:
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | format] | ......
There are 3-6 instances that match the search="*dc*" - running the inputlookup section on its own produces the correct list. Unfortunately I get no results, and applying the instance names to each log then filtering results in a really slow search.
Any pointers are really welcome!
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | fields sourcetype ] | ......
index="sample_data" [|inputlookup instance_list | search instancename="*dc*" | lookup eni_list instanceid OUTPUT eni as sourcetype | fields sourcetype ] | ......
Works perfectly, thanks!