Solved: Using value in lookup as source in search

eoghanmcd · ‎02-28-2020

Hello,

I am new to Splunk so apologies if this question seems overly simple.

Currently I have a search where in the query I list off the different sources, e.g.

 index=my_index host=my_host (source=".../component_1.log" OR source=".../component_2.log" OR ... etc)  "keyword"

However, requirements have changed and I now need to store that list of sources in a lookup file, which looks like this

source,
".../component_1.log"
".../component_2.log"
...
".../component_n.log"

Can I take the values stored in the lookup file and use them as a the source value in a subsequent search? It seems like something very easy but I just can't seem to get it right.

I have added the lookup correctly to my splunk environment and can see its contents okay.

|inputlookup my_lookup.csv

I just can't seem to combine the two elements, am I missing something basic?

|inputlookup my_lookup.csv | rename source as lookup_source | fields lookup_source | search index=my_index host=my_host source=lookup_source "keyword"

Thanks.

to4kawa · ‎02-28-2020

index=my_index host=my_host  "keyword" [|inputlookup my_lookup.csv ]

View solution in original post

to4kawa · ‎02-28-2020

index=my_index host=my_host  "keyword" [|inputlookup my_lookup.csv ]

Using value in lookup as source in search

Best Strategies to Optimize Observability Costs

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...