https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292763#M88376 <P>I have the below type of event and I want to add a category field to it using lookups</P> <PRE><CODE>time Transaction Business name 6/01/2018 40.22 ABC foods 6697 VALE TAP AND PAY 0000 8/01/2018 45.22 supermarket suburb TAP and PAY 0000 </CODE></PRE> <P>So, I created the following lookup - test.csv</P> <PRE><CODE>Business name,Category ABC foods 6697 VALE TAP AND PAY 0000,Dine out DEF utilities,Utilities TARGET suburb name,Shopping supermarket suburb TAP and PAY 0000,Groceries </CODE></PRE> <P>Below is my search query,</P> <PRE><CODE>index="finance" sourcetype="csv_finance" | lookup test.csv "Business name" OUTPUT Category| table "Business name" Category </CODE></PRE> <P>but its not displaying the results.<BR /> How can I create a successful lookup that will display the <STRONG>categories</STRONG> along with the <STRONG>business name</STRONG> in the search results ?</P> Wed, 10 Jan 2018 00:07:53 GMT damode 2018-01-10T00:07:53Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292763#M88376 <P>I have the below type of event and I want to add a category field to it using lookups</P> <PRE><CODE>time Transaction Business name 6/01/2018 40.22 ABC foods 6697 VALE TAP AND PAY 0000 8/01/2018 45.22 supermarket suburb TAP and PAY 0000 </CODE></PRE> <P>So, I created the following lookup - test.csv</P> <PRE><CODE>Business name,Category ABC foods 6697 VALE TAP AND PAY 0000,Dine out DEF utilities,Utilities TARGET suburb name,Shopping supermarket suburb TAP and PAY 0000,Groceries </CODE></PRE> <P>Below is my search query,</P> <PRE><CODE>index="finance" sourcetype="csv_finance" | lookup test.csv "Business name" OUTPUT Category| table "Business name" Category </CODE></PRE> <P>but its not displaying the results.<BR /> How can I create a successful lookup that will display the <STRONG>categories</STRONG> along with the <STRONG>business name</STRONG> in the search results ?</P> Wed, 10 Jan 2018 00:07:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292763#M88376 damode 2018-01-10T00:07:53Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292764#M88377 <P>Does your lookup table have the numbers at the front of the line? It's displayed with two leading numbers, which seems to indicate the 2nd number per line is actually in your file.</P> Wed, 10 Jan 2018 00:44:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292764#M88377 micahkemp 2018-01-10T00:44:14Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292765#M88378 <P>No, the lookup table doesnt have any numbers. Sorry, I got the formatting wrong while posting this qn. I will update it.</P> Wed, 10 Jan 2018 00:48:35 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292765#M88378 damode 2018-01-10T00:48:35Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292766#M88379 <P>It's also unclear from your posted data what the values of each field are in the event. Is the Business Name <CODE>ABC foods 6697 VALE TAP AND PAY 0000</CODE>?</P> Wed, 10 Jan 2018 00:51:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292766#M88379 micahkemp 2018-01-10T00:51:59Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292767#M88380 <P>Yes, thats right.<BR /> the data is of bank transactions in csv file format.</P> Wed, 10 Jan 2018 00:53:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292767#M88380 damode 2018-01-10T00:53:39Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292768#M88381 <P>You can do wildcard matching in your lookup. And to avoid confusion I'd use <CODE>_</CODE> instead of in your field names in the lookup.</P> <P>transforms.conf:</P> <PRE><CODE>[test] filename = test.csv match_type = WILDCARD(Business_name) </CODE></PRE> <P>test.csv:</P> <PRE><CODE> Business_name,Category ABC*,Dine out DEF*,Utilities TARGET*,Shopping supermarket*,Groceries </CODE></PRE> <P>And when searching:</P> <PRE><CODE>index="finance" sourcetype="csv_finance" | lookup test Business_name AS "Business name" OUTPUT Category| table "Business name" Category </CODE></PRE> Wed, 10 Jan 2018 00:55:00 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292768#M88381 micahkemp 2018-01-10T00:55:00Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292769#M88382 <P>Thanks @micahkemp!</P> Wed, 10 Jan 2018 01:56:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-lookup-matching-non-exact-words/m-p/292769#M88382 damode 2018-01-10T01:56:45Z