topic Re: Match from a lookup table in Splunk Search

Match from a lookup table

BenImen — Mon, 09 Apr 2018 20:51:12 GMT

Hi,
I'm new at Splunk and I need some help.
I have a query that looks like this:
sourcetype = ... index = ... | eval appel = box (match (wasRequestURL, ". * / api / smthg / smthgX /./ smthgY"), "/ api / smthg / smthgX / {id} / smthgY", match (wasRequestURL, ". * / api /smthg/smthgX/./smthgY/./smthgXY."),"/api/smthg/smthgX/{id}/smthgY/{id}/smthgXY ") |stats count, avg (ResponseTime) as TMoy by calls, http-method

I created a lookup file that contains 2 fields:
url, url_corresp
". * / Api / smthg / smthgX /.*/ smthgY", "/ api / smthg / smthgX / {id} / smthgY"

I would like to apply a match that loop on the url of the lookup and assign appel to the corresponding url, is it possible to do it?
otherwise if there is another more optimized solution because I have a long list of urls that are heterogeneous and even a regex is heavy to apply!
Thank you in advance

Re: Match from a lookup table

somesoni2 — Mon, 09 Apr 2018 21:23:54 GMT

You'd need to change your lookup table to do wildcard match, then use the lookup command instead of eval-case. See this link for a sample implementation of lookup with wildcard match. You'd need to add appropriate wildcard character * in your lookup table field url's value which you'll be matching with field wasRequestURL.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

Re: Match from a lookup table

BenImen — Tue, 10 Apr 2018 17:03:18 GMT

I understand the solution but the problem now that I don't have access to transforms.conf 😕
Anyway, thanks for your answer 🙂