https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210946#M61667 <P>Hi dwalker1,</P> <P>you can have a look at the <CODE>match_type</CODE> option in <CODE>transforms.conf</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf</A> which supports wildcard matches. See this answers <A href="https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html">https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html</A> for a good example.</P> <P>If this does not work for you, you could use <CODE>eval</CODE> and the <CODE>match</CODE> or <CODE>like</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Comparison_and_Conditional_functions">http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Comparison_and_Conditional_functions</A> functions to normalise or compare the fields.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 20 Apr 2016 20:42:42 GMT MuS 2016-04-20T20:42:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210945#M61666 <P>HI Folks,</P> <P>I'm trying to get automatic lookups working for a custom CSV file import. I'm trying to key in on two fields that have similar host names, but not exact. Is there a way to use something like contains versus equals?</P> <P>Examples:</P> <P>CSV Lookup Field: <STRONG>WAN_device_dns</STRONG></P> <P>Splunk Field: <STRONG>Host</STRONG></P> <P>CSV Lookup Field value: <STRONG>washington_bah.domain.com</STRONG></P> <P>Splunk Fields value: <STRONG>washington_bah-loop7</STRONG></P> <P>I'd like to equate these fields as the same in the automatic field association if the beginning matches since my CSV script automatically generates externally. If not, I'll have to rewrite the CSV output. </P> <P>Thanks all,<BR /> G1</P> Tue, 29 Sep 2020 09:27:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210945#M61666 dwalker1 2020-09-29T09:27:46Z https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210946#M61667 <P>Hi dwalker1,</P> <P>you can have a look at the <CODE>match_type</CODE> option in <CODE>transforms.conf</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf">http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf</A> which supports wildcard matches. See this answers <A href="https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html">https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html</A> for a good example.</P> <P>If this does not work for you, you could use <CODE>eval</CODE> and the <CODE>match</CODE> or <CODE>like</CODE> <A href="http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Comparison_and_Conditional_functions">http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions#Comparison_and_Conditional_functions</A> functions to normalise or compare the fields.</P> <P>Hope this helps ...</P> <P>cheers, MuS</P> Wed, 20 Apr 2016 20:42:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210946#M61667 MuS 2016-04-20T20:42:42Z https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210947#M61668 <P>Thanks for the quick response. I'll have to dig further but it looks like what I'm looking for. Thanks again!</P> <P>G1</P> Fri, 22 Apr 2016 12:17:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-an-automatic-lookup-where-lookup-input-fields-are/m-p/210947#M61668 dwalker1 2016-04-22T12:17:43Z