Input lookup a value in a list of items

JohnGilmour · ‎11-05-2019

Hello All,

I have a file below which contains a list of Servers and which Group they belong time:

Server, Environment, Groups
Server 1, Production, Group 1
Server 2, Production, Group 2
Server 3, Corporate, Group 2
....
Server 50, Web, Group 3 
Server 51, Web, Group 4
Server 52, Production, Group 2

My index contains a string of Groups (many of which are irrelevant), in a field called TAGS. My question is how do I go about giving all the data in the MASTER index, where the TAGS Field contains a match in the inputlookup?

    Index = Master: TAGS Example "Group 1, XX, Europe, YYY, ZZ, PPPPPPPP, ABCD"

I have treid the below neither of which return results.

| inputlookup server_asset_groups where Environment = "Web" OR Environment = "Production" 
| dedup Groups
| table Groups
| join Groups
    [search index=MASTER | dedup HOST_ID sortby | eval Groups= split(TAGS,",") ]    
|  table AssetGroup TAGS


index=MASTER
| dedup HOST_ID sortby +_time 
| eval Groups= split(TAGS,",") 
| join Groups
[| inputlookup server_asset_groups where Environment = "Web" OR Environment = "Production" | return Groups]

gcusello · ‎11-05-2019

Hi JohnGilmour,
you should divide your tags and use them to search, something like this:

index=MASTER
| makemv TAGS
| mvexpand TAGS
| lookup server_asset_groups Groups AS TAGS OUTPUT Server Environment
| search Server=*
| dedup Server Environment Groups
| sort Groups Server
| table Server Environment Groups

Ciao.
Giuseppe

Input lookup a value in a list of items

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!