topic Re: Wildcards working for inputlookup but not lookup? in Splunk Search

Wildcards working for inputlookup but not lookup?

jpawloski — Tue, 03 Jul 2018 12:39:36 GMT

Been targeting the same lookup definition and my lookup just refuses to recognize wildcards in my lookup table. My inputlookup works like so and properly accounts for the wildcards:

search NOT [|inputlookup bad_columns | table SCAN_TYPE TABLE NAME SINGLE_COLUMN]

My lookup is below and just doesn't work:

foreach Column* [lookup bad_columns SCAN_TYPE AS SCAN_TYPE TABLE_NAME AS TABLE_NAME SINGLE_COLUMN AS <<FIELD>> OUTPUT SINGLE_COLUMN as match | various other evals...]

I'm not sure if the <<FIELD>> rename is allowed or if match_type can vary between these two commands. I do not have access to transforms.conf, FYI.

Re: Wildcards working for inputlookup but not lookup?

janispelss — Tue, 03 Jul 2018 14:03:02 GMT

Did you set the match type to WILDCARD for your lookup? If not, then to get this working through the web UI go to Settings -> Lookups -> Lookup definitions. Find your lookup there, and in it's advanced options in the "Match type" field add WILDCARD(your_field) for any fields that you want to enable wildcard matching with. In your case I guess it would be

WILDCARD(SCAN_TYPE), WILDCARD(TABLE_NAME), WILDCARD(SINGLE_COLUMN)

This should allow the lookup command to correctly match using wildcards.

Re: Wildcards working for inputlookup but not lookup?

jpawloski — Tue, 03 Jul 2018 14:30:29 GMT

I'm on Splunk 6.2 so I do not have this option. But are you saying lookups and inputlookups can have different match_types?

Re: Wildcards working for inputlookup but not lookup?

janispelss — Wed, 04 Jul 2018 06:18:05 GMT

Ah, didn't realize that the UI part was a somewhat recent addition. So to get the wildcard matching for lookup command to work, I guess you'll probably need help from someone who does have the access to transforms.conf.

The thing with inputlookup is that it doesn't actually match anything. In the subsearch inputlookup just creates some table and that's where any lookup specific configurations end. The filtering is done by the search command - in a search command anything in the square brackets gets expanded into a series of search terms with AND and OR operators. You can see what it actually gets expanded to with the format command: | inputlookup some_lookup | table field1 field2 field3 | head 5 | format.

So if your lookup has "*" characters in it, they would simply become wildcards in a search command, and the match_type is never even used. Which is why your first search works correctly.