https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27765#M5429 <P>All the solutions work fine - thanks a lot!<BR /> This one (subjectively) is the most versatile one - but thanks a lot to everyone for helping <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>It's a shame more than one answer cannot be marked as the right one...</P> Fri, 09 Dec 2011 12:55:46 GMT wsw70 2011-12-09T12:55:46Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27760#M5424 <P>Hello,</P> <P>Following up on <A href="http://splunk-base.splunk.com/answers/35434/adding-a-field-based-on-other-fields">the excellent answer to my question about (essentially) using a lookup table</A>, I wonder how to deal with events not referenced in the lookup table. Namely I have a lookup table</P> <PRE><CODE>product,vendor MS,Microsoft Microsoft,Microsoft Adobe,Adobe Flash,Adobe </CODE></PRE> <P>It works fine, but the only events available after a lookup are the ones which match the lookup table. This means that the other ones are discarded -- I would like to keep them, though, and assign them to a vendor "other" (a fallback category, so to speak). Essentially I would be looking for a lookup table like</P> <PRE><CODE>product,vendor MS,Microsoft Microsoft,Microsoft Adobe,Adobe Flash,Adobe *,others </CODE></PRE> <P>I know that this is not the correct way to build the table, I just wanted to give an idea about the sought result <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> I use this lookup directly from the search field (as of now).</P> <P>Thanks!</P> Fri, 02 Dec 2011 15:15:59 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27760#M5424 wsw70 2011-12-02T15:15:59Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27761#M5425 <P>One approach is to use an <CODE>eval</CODE> to fix it after the fact.</P> <PRE><CODE>... | eval vendor=coalesce(vendor,"others") </CODE></PRE> Fri, 02 Dec 2011 15:48:08 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27761#M5425 dwaddle 2011-12-02T15:48:08Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27762#M5426 <P>Thank you! This does the trick</P> Fri, 02 Dec 2011 16:17:12 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27762#M5426 wsw70 2011-12-02T16:17:12Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27763#M5427 <P>I've been using the default matches section of the lookup for that. If something doesn't exist in my lookup table it takes the defaults.</P> Fri, 02 Dec 2011 16:34:51 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27763#M5427 MickSheppard 2011-12-02T16:34:51Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27764#M5428 <P>Another approach (in addition to <CODE>default_match</CODE> as mentioned by MickSheppard, and in addition to evaluating afterwards) is tospecify in your lookup defintion that a certain field is matched using wildcards. In transforms.conf in the lookup table definition:</P> <PRE><CODE>[mylookuptablename] filename=mylookupfile.csv match_type=WILDCARD(product) </CODE></PRE> <P>This will then let your above CSV match using the "*" wildcard. (Partial wildcard matches are also possible.)</P> Fri, 02 Dec 2011 16:45:36 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27764#M5428 gkanapathy 2011-12-02T16:45:36Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27765#M5429 <P>All the solutions work fine - thanks a lot!<BR /> This one (subjectively) is the most versatile one - but thanks a lot to everyone for helping <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>It's a shame more than one answer cannot be marked as the right one...</P> Fri, 09 Dec 2011 12:55:46 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27765#M5429 wsw70 2011-12-09T12:55:46Z https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27766#M5430 <P>One final question: what do you mean by "Partial wildcard matches are also possible"?</P> <P>The * wilcard on its own works fine.<BR /> I tried * Java * to catch both "Oracle Java something" and "Sun Java something" but the match does not work<BR /> (there is no space between the stars and the word Java, otherwise the comment system interprets this as "Java in italics")</P> Fri, 09 Dec 2011 13:56:41 GMT https://community.splunk.com/t5/Splunk-Search/adding-fallback-quot-others-quot-to-a-lookup-table/m-p/27766#M5430 wsw70 2011-12-09T13:56:41Z