All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find a value from a lookup table inside a field from search

genesiusj
Builder
‎04-06-2021 01:59 PM

Hello,

I have a lookup table that contains some words: ANGEL, DEVIL, CHURCH, KING, LOVE etc.
I have a search that returns a list of garbled letters: GJKLSER, WIUPAF, NVSDEVILDFP, QNJSANGELW, KINGGVSCHURCH, TRANGELOVEMGX, etc.

Need to find when the word from the lookup is contained in the list of garbled letters (highlighted red above). Also need to know which word(s) were found, as in the green example above; including if the lookup words overlap, as in the purple letter example above.

Each word in the lookup table has a corresponding score, which needs to be included in the results. 

Lastly, the lookup table contains over 1000 words/scores. Otherwise, I would think a foreach would work.

Thanks in advance for ideas, thoughts, direction.

God bless and safe and healthy to you and yours,
Genesius

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 02:10 PM

In your lookup, add the words with leading and trailing * characters and make a lookup definition that sets the match type for that field as wildcard, e.g.

WILDCARD(fieldName) 

then when you lookup your field, it will get a match. Use lookup like this

| lookup lookup_definition word OUTPUT word as found_word score

so, the word actually found will be returned as a new field found_word

Hope this helps

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 02:10 PM

In your lookup, add the words with leading and trailing * characters and make a lookup definition that sets the match type for that field as wildcard, e.g.

WILDCARD(fieldName) 

then when you lookup your field, it will get a match. Use lookup like this

| lookup lookup_definition word OUTPUT word as found_word score

so, the word actually found will be returned as a new field found_word

Hope this helps

 

Reply
Solved! Jump to solution

genesiusj
Builder
‎04-06-2021 02:36 PM

@bowesmana 

That was PERFECT!

While I have made lookup defs before, I never used them. I didn't know that the def could be used in place of the file name in the lookup command. I understood about the WILDCARD and my lookup included *ANGEL*, etc.

Thanks and God bless,
Genesius

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...