Hello,
I am new to Splunk so apologies if this question seems overly simple.
Currently I have a search where in the query I list off the different sources, e.g.
index=my_index host=my_host (source=".../component_1.log" OR source=".../component_2.log" OR ... etc) "keyword"
However, requirements have changed and I now need to store that list of sources in a lookup file, which looks like this
source,
".../component_1.log"
".../component_2.log"
...
".../component_n.log"
Can I take the values stored in the lookup file and use them as a the source value in a subsequent search? It seems like something very easy but I just can't seem to get it right.
I have added the lookup correctly to my splunk environment and can see its contents okay.
|inputlookup my_lookup.csv
I just can't seem to combine the two elements, am I missing something basic?
|inputlookup my_lookup.csv | rename source as lookup_source | fields lookup_source | search index=my_index host=my_host source=lookup_source "keyword"
Thanks.
index=my_index host=my_host "keyword" [|inputlookup my_lookup.csv ]