Solved: Using inputlookup value as source in search

eoghanmcd · ‎02-28-2020

Hello,

I'm new to Splunk so sorry if this seems like a basic question.

Previously, in my search I was listing various sources in the query itself:

  index=my_index  host=my_host  source="comp_1.log" OR source="comp_2.log" OR ...) "keyword I'm looking for in event"

However, that was getting difficult to maintain and doesn't really fit my requirements so I have now moved my sources to a lookup file with a structure like this:

sources.csv

source,
"comp_1.log"
"comp_2.log"
...
"comp_n.log"

My question is can I use these values in a search in a similar way to how I would use tokens?

I tried something like this but am not getting any results

|inputlookup sources.csv | search  index=my_index  host=my_host  source=source "keyword I'm looking for in event"

I'm sure this is something that can be done and that I'm just making a mistake somewhere.

richgalloway · ‎02-28-2020

Try a subsearch.

index=my_index  host=my_host  [ | inputlookup sources.csv | format ] "keyword I'm looking for in event"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-28-2020

Try a subsearch.

index=my_index  host=my_host  [ | inputlookup sources.csv | format ] "keyword I'm looking for in event"

---
If this reply helps you, Karma would be appreciated.

eoghanmcd · ‎02-28-2020

I hadn't come across format to concatenate values before but it suits my needs perfectly, here thanks

Using inputlookup value as source in search

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies