Hello,
I'm new to Splunk so sorry if this seems like a basic question.
Previously, in my search I was listing various sources in the query itself:
index=my_index host=my_host source="comp_1.log" OR source="comp_2.log" OR ...) "keyword I'm looking for in event"
However, that was getting difficult to maintain and doesn't really fit my requirements so I have now moved my sources to a lookup file with a structure like this:
sources.csv
source,
"comp_1.log"
"comp_2.log"
...
"comp_n.log"
My question is can I use these values in a search in a similar way to how I would use tokens?
I tried something like this but am not getting any results
|inputlookup sources.csv | search index=my_index host=my_host source=source "keyword I'm looking for in event"
I'm sure this is something that can be done and that I'm just making a mistake somewhere.
↧