https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274488#M82790 <P>I'm not sure whether or not this is a unique problem, but I'm hoping someone can help even if I'm overlooking an obvious solution :-).</P> <P>I have a lookup table that is a domain whitelist that we allow through our proxies. For example, let's pretend a portion of this lookup table is like this (keeping in mind that some of the whitelisted domains might be sub-domains):</P> <PRE><CODE>uri_host -------- google.com amazon.com yahoo.com answers.splunk.com . . . </CODE></PRE> <P>What I'm trying to figure out is if there is a way to not only use this lookup table to search across the proxy logs, but also add a field to each resulting event called, say, "match_string" that contains the value from the lookup table that caused the event to match.</P> <P>For example, if in the proxy logs there are events of people browsing to "maps.google.com" and "images.google.com", those would match my whitelist due to "google.com" being there, but I want to somehow tie that back to the lookup table so that I know it shows up in the results because it matched against "google.com". The results of this might look like:</P> <PRE><CODE>uri_host match_string -------- ------------ maps.google.com google.com images.google.com google.com mail.yahoo.com yahoo.com answers.splunk.com answers.splunk.com </CODE></PRE> <P>Hopefully that explains what I'm trying to do well enough, and thank you in advance to anyone who can help!</P> Mon, 04 Apr 2016 17:24:06 GMT techusky 2016-04-04T17:24:06Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274488#M82790 <P>I'm not sure whether or not this is a unique problem, but I'm hoping someone can help even if I'm overlooking an obvious solution :-).</P> <P>I have a lookup table that is a domain whitelist that we allow through our proxies. For example, let's pretend a portion of this lookup table is like this (keeping in mind that some of the whitelisted domains might be sub-domains):</P> <PRE><CODE>uri_host -------- google.com amazon.com yahoo.com answers.splunk.com . . . </CODE></PRE> <P>What I'm trying to figure out is if there is a way to not only use this lookup table to search across the proxy logs, but also add a field to each resulting event called, say, "match_string" that contains the value from the lookup table that caused the event to match.</P> <P>For example, if in the proxy logs there are events of people browsing to "maps.google.com" and "images.google.com", those would match my whitelist due to "google.com" being there, but I want to somehow tie that back to the lookup table so that I know it shows up in the results because it matched against "google.com". The results of this might look like:</P> <PRE><CODE>uri_host match_string -------- ------------ maps.google.com google.com images.google.com google.com mail.yahoo.com yahoo.com answers.splunk.com answers.splunk.com </CODE></PRE> <P>Hopefully that explains what I'm trying to do well enough, and thank you in advance to anyone who can help!</P> Mon, 04 Apr 2016 17:24:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274488#M82790 techusky 2016-04-04T17:24:06Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274489#M82791 <P>This is a good use-case for Wildcard lookup. See this similar answer for more details</P> <P><A href="https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html">https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html</A></P> <P>Basically, have your lookup table as this (say domainlookup.csv)</P> <PRE><CODE>uri_host, match_string *google.com,google.com *amazon.com,amazon.com *yahoo.com,yahoo.com *answers.splunk.com,answers.splunk.com </CODE></PRE> <P>have your <CODE>transforms.conf</CODE> with this</P> <PRE><CODE> [domainlookup] filename = domainlookup.csv match_type = WILDCARD(uri_host) </CODE></PRE> <P>Now you can add a lookup command to your search OR setup automatic lookup (to add the field match_string automatically to each events of yoursourcetype)</P> <P>props.conf</P> <PRE><CODE>[yoursourcetype] ..other settings... LOOKUP-domain= domainlookup uri_host OUTPUT match_string </CODE></PRE> Mon, 04 Apr 2016 19:02:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274489#M82791 somesoni2 2016-04-04T19:02:05Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274490#M82792 <P>I think I have things set up as you have suggested, but I'm running into an issue where nothing is actually outputting for the match_string field. I have the config added to the transforms.conf file (but did not add anything into props.conf since I'm not doing an automatic lookup).</P> <P>Then I'm running the following search, but match_string is blank:</P> <PRE><CODE>index=proxy_logs | lookup domainlookup uri_host OUTPUT match_string | table uri_host, match_string </CODE></PRE> Mon, 04 Apr 2016 20:50:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274490#M82792 techusky 2016-04-04T20:50:36Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274491#M82793 <P>I'm able to make it work with same settings in my test machine. Can you try to run following query in your instance and let me know if you see a value for the field match_string?</P> <PRE><CODE>| gentimes start=-1 | eval uri_host="maps.google.com" | table uri_host | lookup domainlookup uri_host </CODE></PRE> Mon, 04 Apr 2016 21:28:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274491#M82793 somesoni2 2016-04-04T21:28:21Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274492#M82794 <P>this should work.</P> <P>is it possible that you don't have a field named exactly "uri_host" in your events?</P> <P>also, if you post your related props.conf &amp; transforms.conf stanzas along with your lookup file definition &amp; sample we can help with debugging a bit more.</P> Tue, 05 Apr 2016 01:33:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274492#M82794 jmeyers_splunk 2016-04-05T01:33:19Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274493#M82795 <P>WOW! Sometimes it's the smallest, dumbest things that trip you up... I was in the process of typing up the relevant part of the transforms.conf as well as a sample of the lookup csv, when I realized that the lookup table had quotes around the field names, so "match_string" instead of just match_string.</P> <P>I fixed the lookup table and now everything works as expected. Sheesh. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 29 Sep 2020 09:21:33 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274493#M82795 techusky 2020-09-29T09:21:33Z https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274494#M82796 <P>Awesome. Thank you for posting back your results and what lead to your problem. Those pieces of information will help somebody else in the future. </P> Tue, 05 Apr 2016 15:17:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-add-a-lookup-table-value-to-matching-search-results/m-p/274494#M82796 jmeyers_splunk 2016-04-05T15:17:46Z