Solved: Using value in lookup as source in search

eoghanmcd · ‎02-28-2020

Hello,

I am new to Splunk so apologies if this question seems overly simple.

Currently I have a search where in the query I list off the different sources, e.g.

 index=my_index host=my_host (source=".../component_1.log" OR source=".../component_2.log" OR ... etc)  "keyword"

However, requirements have changed and I now need to store that list of sources in a lookup file, which looks like this

source,
".../component_1.log"
".../component_2.log"
...
".../component_n.log"

Can I take the values stored in the lookup file and use them as a the source value in a subsequent search? It seems like something very easy but I just can't seem to get it right.

I have added the lookup correctly to my splunk environment and can see its contents okay.

|inputlookup my_lookup.csv

I just can't seem to combine the two elements, am I missing something basic?

|inputlookup my_lookup.csv | rename source as lookup_source | fields lookup_source | search index=my_index host=my_host source=lookup_source "keyword"

Thanks.

to4kawa · ‎02-28-2020

index=my_index host=my_host  "keyword" [|inputlookup my_lookup.csv ]

View solution in original post

to4kawa · ‎02-28-2020

index=my_index host=my_host  "keyword" [|inputlookup my_lookup.csv ]

Using value in lookup as source in search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!