https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191519#M55152 <P>As I could not get the <CODE>WILDCARD</CODE> approach to work (the lookup always fails and the fields end up as NULL), I used:</P> <PRE> | fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok </PRE> <P>instead in the query; e.g. when the lookup fails supply default values manually. </P> <P>Although the <CODE>WILDCARD</CODE> should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using <CODE>fillnull</CODE> is better from a performance point of view here.</P> Tue, 13 Jan 2015 12:00:54 GMT mjpieters 2015-01-13T12:00:54Z https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191518#M55151 <P>We are using a CSV to map one field to two more:</P> <PRE> status,status_title,status_type,status_ok -,Network connection successful,Network success,Success D,DNS lookup failure,Network failure,Failure </PRE> <P>etc, with a lookup:</P> <PRE> lookup network_status_codes status AS receiver_network_status OUTPUTNEW status_title AS network_status_title, status_type AS network_status_type, status_ok AS network_status_ok </PRE> <P>How can I handle falling back to defaults for all three columns? The <CODE>default_match</CODE> field appears to only let me provide <EM>one</EM> fallback; I don't think I can use:</P> <PRE> [network_status_codes] filename = network_status_codes.csv min_matches = 1 default_match = Unknown network error,Network failure,Failure </PRE> <P>here.</P> <P>Should I use a wildcard match instead? E.g. add a row:</P> <PRE> *,Unknown network error,Network failure,Failure </PRE> <P>then set the match type:</P> <PRE> match_type = WILDCARD(status) </PRE> <P>to make this work?</P> Mon, 12 Jan 2015 11:27:03 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191518#M55151 mjpieters 2015-01-12T11:27:03Z https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191519#M55152 <P>As I could not get the <CODE>WILDCARD</CODE> approach to work (the lookup always fails and the fields end up as NULL), I used:</P> <PRE> | fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok </PRE> <P>instead in the query; e.g. when the lookup fails supply default values manually. </P> <P>Although the <CODE>WILDCARD</CODE> should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using <CODE>fillnull</CODE> is better from a performance point of view here.</P> Tue, 13 Jan 2015 12:00:54 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191519#M55152 mjpieters 2015-01-13T12:00:54Z https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191520#M55153 <P>The wildcard requires enabling in <CODE>transforms.conf</CODE>, e.g.</P> <PRE><CODE>match_type = WILDCARD(status) max_matches = 1 </CODE></PRE> <P>The <CODE>max_matches</CODE> stops the status matching the wildcard for known values. The lookup csv file can then have an extra entry:</P> <PRE><CODE>*,Default title,Default type,Default ok </CODE></PRE> Tue, 26 May 2015 17:15:25 GMT https://community.splunk.com/t5/Splunk-Search/Lookup-default-match-for-multiple-columns/m-p/191520#M55153 madchutney 2015-05-26T17:15:25Z