Solved: Using value in lookup as source in search

eoghanmcd · ‎02-28-2020

Hello,

I am new to Splunk so apologies if this question seems overly simple.

Currently I have a search where in the query I list off the different sources, e.g.

 index=my_index host=my_host (source=".../component_1.log" OR source=".../component_2.log" OR ... etc)  "keyword"

However, requirements have changed and I now need to store that list of sources in a lookup file, which looks like this

source,
".../component_1.log"
".../component_2.log"
...
".../component_n.log"

Can I take the values stored in the lookup file and use them as a the source value in a subsequent search? It seems like something very easy but I just can't seem to get it right.

I have added the lookup correctly to my splunk environment and can see its contents okay.

|inputlookup my_lookup.csv

I just can't seem to combine the two elements, am I missing something basic?

|inputlookup my_lookup.csv | rename source as lookup_source | fields lookup_source | search index=my_index host=my_host source=lookup_source "keyword"

Thanks.

to4kawa · ‎02-28-2020

index=my_index host=my_host  "keyword" [|inputlookup my_lookup.csv ]

View solution in original post

to4kawa · ‎02-28-2020

index=my_index host=my_host  "keyword" [|inputlookup my_lookup.csv ]

Using value in lookup as source in search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Index This | What travels the world but is also stuck in place?

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

Join the Conversation