topic Re: Can we use wildcard characters in a lookup table? in Splunk Search

Can we use wildcard characters in a lookup table?

rakesh_498115 — Tue, 10 Jul 2012 10:02:07 GMT

Can I create a lookup table with wildcard character *?

I have a lookup like

input,output
user*,USERNAME

so anything that comes like user or user1 or username will match user* and output USERNAME.

Re: Can we use wildcard characters in a lookup table?

Ayn — Tue, 10 Jul 2012 10:37:08 GMT

You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.

So something like this in props.conf:

[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username

And in transforms.conf:

[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)

And finally your userlookup.csv:

user,username
user*,USERNAME

You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".

Re: Can we use wildcard characters in a lookup table?

andrewtrobec — Wed, 07 Dec 2016 21:53:38 GMT

I know this thread is old, but I'm trying to the same thing and am stuck. I've followed the instructions but something doesn't make sense to me. Here are my configurations:

props.conf

[mysourcetype]
LOOKUP-sector = sectorlookup "Lookup Field" OUTPUT Sector

transforms.conf

[sectorlookup]
filename = L_Sectors.csv
match_type = WILDCARD("Lookup Field")

L_Sectors.csv

"Lookup Field","Sector"
"A1-A2-A3*","Sector1"
"B1-B2-B3-B4*","Sector2"
"C1-C2-C3*","Sector3"
"D1-D2-D3-D4-D5*","Sector4"

My question is: how do I structure the lookup command? Right now I have

* | lookup L_Sectors.csv "Lookup Field" OUTPUT Sector | table "Lookup Field", Sector

but I'm not getting results. Am I doing the search correctly?

Re: Can we use wildcard characters in a lookup table?

alexandermunce — Thu, 15 Dec 2016 04:12:10 GMT

FYI - the props.conf addition is not required unless you require an automatic lookup.

Just to expand on the lookup command you have proposed - I will include the default functions which are implied by your command above:

I will rewrite your command above with annotations to point out notable issues:

lookup L_Sectors.csv**(1)** "Lookup Field" **(2)** OUTPUT Sector**(3)** | table "Lookup Field", Sector

(1) You need to invoke the stanza which you have defined which would be:
lookup sectorlookup etc

(2) The syntax for the lookup command is:
lookup < lookup-table-name > < lookup-field1 > AS < event-field1 >

If you do not specify an < event-field > then it will default to lookup an event field with the same name as the < lookup-field >

(3) Note - if you have a field named Sector already this will will be overwritten.

Re: Can we use wildcard characters in a lookup table?

VARWIZ — Thu, 05 Jan 2017 17:36:25 GMT

this is printing out all the events. even if its not matching the wildcard? any reason why ?

Re: Can we use wildcard characters in a lookup table?

VARWIZ — Thu, 05 Jan 2017 21:37:31 GMT

I dont have access to transforms.conf. is there anyway we can do this using normal search query ?

Re: Can we use wildcard characters in a lookup table?

DalJeanis — Fri, 03 Mar 2017 16:09:27 GMT

When you have a similar situation to an old question, please post a new question with a link to the old one and with the specifics of your current situation. That will get you more, better, faster results from the community, as opposed to posting comments or answers on an older question (especially one which has been marked "answered" for LITERALLY years).

Re: Can we use wildcard characters in a lookup table?

the_wolverine — Wed, 08 Mar 2017 17:25:38 GMT

The props/transforms is required to enable wildcard lookup against the "lookup field". I suspect the "lookup field" need to be "lookup_field". Don't believe that spaces are allowed in field names and may be breaking this.

Re: Can we use wildcard characters in a lookup table?

leonjxtan — Fri, 21 Apr 2017 03:31:28 GMT

thanks. how is this configured in GUI? As I'm doing everything in GUI so far...,

Re: Can we use wildcard characters in a lookup table?

tmcmaster — Thu, 14 Jun 2018 14:41:39 GMT

It looks like as of at least Splunk Version 7.0.3.4 if you go into Lookups -> Lookup definitions and select the "Advanced options" checkbox there's now a Match type field. I just added "WILDCARD(fieldname)" there and it worked.