I know this was a very old question. I encountered a similar requirement as our syslog is forwarded from a forwarder
It would help you if you do a regex field extraction to break down the fields; identify your user, "hostname" (which is your [serverType]p100n), your serverType (if you want), your linux command. This would be your input to your dynamic lookup (see later)
then you can configure a csv file as the input to all your "hostname" (this is not your lookup in the traditional splunk sense )
last, code up a dynamic lookup (dynamic lookup) that uses the above csv file to perform the search.
Just sharing my experience.
... View more