topic Re: splunk search in Splunk Search

splunk search

SN1 — Thu, 09 Oct 2025 05:29:56 GMT

so i have a index paloalto and a lookup file both have 1 field common app , now i want app which are present in lookup and index as well but there is a problem like in lookup if there is Alexa as an app then in index its amazon-alexa , or in lookup it is "windows xbox" in index it is "xbox-live" and some matches perfectly lilke spotify now tell me a spl where if any part of the name matches just display the app name from lookup as well as index.

Re: splunk search

PickleRick — Thu, 09 Oct 2025 06:02:13 GMT

You either need to fix your lookup or make an intermediate lookup for matching one set 0f values with another. How else is your Splunk supposed to know which values match which ones? Guess? Pick at random?

Re: splunk search

gcusello — Thu, 09 Oct 2025 06:32:04 GMT

Hi @SN1 ,

you could try something like this:

index=paloalto [ | inputlookup your_lookup.csv | rename app AS query | fields query ]

Ciao.

Giuseppe

Re: splunk search

yuanliu — Thu, 09 Oct 2025 14:50:05 GMT

To further @PickleRick 's recommendation, how about you tell us how that lookup is produced? What control do you have over that production?

One way or another, you need to describe the logic to "match" index field app to lookup field app. Why does windows xbox match xbox-live? Does windows-xbox match xbox-unalive, too? Why doesn't windows-xbox match mail box?