I am trying to use a wildcard based lookup table as part of a query that will get all non-wildcard based values so that I can use them in a real lookup.

My company maintains 100+ firewalls, sometimes more. All the firewalls send traffic logs to Splunk. I would like to be able to break down the traffic logs into locations without having to know every single firewall name, so I created a lookup table that looks something like this

firewalls.csv

description, location,  search_name,       monitored
testFW1,     location1, fw-loc1-*,         Y
testFW2,     location2, fw-loc2-*,         Y
testFWsub2,  location2, fw-branch*-loc3-*, Y

If it were not for the fact that I need a wildcard in the middle of the string to find my lookup data, I could just ask my admin to change some .conf file so that my csv could do wildcard lookups.

I solved this by searching for values and then aggregating on the wildcard value, like this

|inputlookup firewalls.csv 
| map maxsearches=20 search="|tstats prestats=t values(host) where index=pan_logs host=$dvc$ | stats values(host) as host | eval dvc=$dvc$" 
| append [|inputlookup firewalls.csv]  | append [|inputlookup firwalls_lookup.csv] 
| stats values(host) as host first(loc) as loc first(monitored) as monitored first(note) as note by dvc
|outputlookup firewalls_lookup.csv

Now I can use the hosts values in a lookup

index=pan_logs | head 10 | lookup firewalls_lookup.csv host | table src_ip dest_ip host location monitored

This seems like a lot of work though. Basically, I am using a csv to create a legit lookup table (would probably run this nightly).
Is there a better approach?