https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198820#M57541 <P>You might be able to adapt something like the following:</P> <P><CODE>search-goes-here | eval OSGroup=case(match(OSName,"Microsoft Windows 7(.*)"),"Windows Client", match(OSName,"Microsoft Windows 8(.*)"),"Windows Client",match(OSName,"Microsoft Windows Server(.*)"),"Windows Server")</CODE></P> <P>The second argument to each <CODE>match</CODE> function is a regex, and the <CODE>case</CODE> statement lets you line up your matches with your output values.</P> <P>While you can't put these in CSV files, you can turn the <CODE>eval</CODE> clause into a macro (add it to <CODE>macros.conf</CODE>) and refer to it wherever you need it.</P> Mon, 16 Jun 2014 16:23:59 GMT aweitzman 2014-06-16T16:23:59Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198819#M57540 <P>Hello</P> <P>Following up on a previous question about lookups I am looking for a way to either use or simulate wildcards in a .csv lookup file.</P> <P>I have fields like</P> <PRE><CODE>Microsoft Windows 8.1 Pro Microsoft Windows 8 Pro Microsoft Windows 7 Ultimate Microsoft Windows 7 Professional Microsoft Windows 7 Enterprise </CODE></PRE> <P>which I would like to group under, say, <CODE>Windows Clients</CODE> via a lookup. I do not know in advance what the values will be, so ideally I would like to be able to say</P> <PRE><CODE>Microsoft Windows 7*,Windows Client Microsoft Windows 8*,Windows Client </CODE></PRE> <P>which does not work as is (and was hinted so by <A href="http://answers.splunk.com/users/171373/aweitzman">aweitzman</A> in his answer.</P> <UL> <LI>is there a direct way to use regexp (or wildcards) in the lookup .csv file?</LI> </UL> <P>The alternate solution I can think about would be to use an external script for the lookup which would get the field value and output something, based on a logic/algorithm within the script (as opposed to a csv)</P> Mon, 16 Jun 2014 15:25:51 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198819#M57540 wsw70 2014-06-16T15:25:51Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198820#M57541 <P>You might be able to adapt something like the following:</P> <P><CODE>search-goes-here | eval OSGroup=case(match(OSName,"Microsoft Windows 7(.*)"),"Windows Client", match(OSName,"Microsoft Windows 8(.*)"),"Windows Client",match(OSName,"Microsoft Windows Server(.*)"),"Windows Server")</CODE></P> <P>The second argument to each <CODE>match</CODE> function is a regex, and the <CODE>case</CODE> statement lets you line up your matches with your output values.</P> <P>While you can't put these in CSV files, you can turn the <CODE>eval</CODE> clause into a macro (add it to <CODE>macros.conf</CODE>) and refer to it wherever you need it.</P> Mon, 16 Jun 2014 16:23:59 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198820#M57541 aweitzman 2014-06-16T16:23:59Z https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198821#M57542 <P>Hmmm... it looks like there's more to transforms.conf than I realized.</P> <P>You can put wildcards in the CSV file, and then add the following term to the appropriate stanza in transforms.conf and it will work:</P> <P>match_type = WILDCARD(OSName)</P> Mon, 16 Jun 2014 16:40:44 GMT https://community.splunk.com/t5/Splunk-Search/Is-there-a-way-to-use-wildcards-or-regex-in-lookup-csv-file/m-p/198821#M57542 aweitzman 2014-06-16T16:40:44Z