Solved: Using inputlookup value as source in search

eoghanmcd · ‎02-28-2020

Hello,

I'm new to Splunk so sorry if this seems like a basic question.

Previously, in my search I was listing various sources in the query itself:

  index=my_index  host=my_host  source="comp_1.log" OR source="comp_2.log" OR ...) "keyword I'm looking for in event"

However, that was getting difficult to maintain and doesn't really fit my requirements so I have now moved my sources to a lookup file with a structure like this:

sources.csv

source,
"comp_1.log"
"comp_2.log"
...
"comp_n.log"

My question is can I use these values in a search in a similar way to how I would use tokens?

I tried something like this but am not getting any results

|inputlookup sources.csv | search  index=my_index  host=my_host  source=source "keyword I'm looking for in event"

I'm sure this is something that can be done and that I'm just making a mistake somewhere.

richgalloway · ‎02-28-2020

Try a subsearch.

index=my_index  host=my_host  [ | inputlookup sources.csv | format ] "keyword I'm looking for in event"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-28-2020

Try a subsearch.

index=my_index  host=my_host  [ | inputlookup sources.csv | format ] "keyword I'm looking for in event"

---
If this reply helps you, Karma would be appreciated.

eoghanmcd · ‎02-28-2020

I hadn't come across format to concatenate values before but it suits my needs perfectly, here thanks

Using inputlookup value as source in search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation