All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find a value from a lookup table inside a field from search

genesiusj
Builder
‎04-06-2021 01:59 PM

Hello,

I have a lookup table that contains some words: ANGEL, DEVIL, CHURCH, KING, LOVE etc.
I have a search that returns a list of garbled letters: GJKLSER, WIUPAF, NVSDEVILDFP, QNJSANGELW, KINGGVSCHURCH, TRANGELOVEMGX, etc.

Need to find when the word from the lookup is contained in the list of garbled letters (highlighted red above). Also need to know which word(s) were found, as in the green example above; including if the lookup words overlap, as in the purple letter example above.

Each word in the lookup table has a corresponding score, which needs to be included in the results. 

Lastly, the lookup table contains over 1000 words/scores. Otherwise, I would think a foreach would work.

Thanks in advance for ideas, thoughts, direction.

God bless and safe and healthy to you and yours,
Genesius

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 02:10 PM

In your lookup, add the words with leading and trailing * characters and make a lookup definition that sets the match type for that field as wildcard, e.g.

WILDCARD(fieldName) 

then when you lookup your field, it will get a match. Use lookup like this

| lookup lookup_definition word OUTPUT word as found_word score

so, the word actually found will be returned as a new field found_word

Hope this helps

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 02:10 PM

In your lookup, add the words with leading and trailing * characters and make a lookup definition that sets the match type for that field as wildcard, e.g.

WILDCARD(fieldName) 

then when you lookup your field, it will get a match. Use lookup like this

| lookup lookup_definition word OUTPUT word as found_word score

so, the word actually found will be returned as a new field found_word

Hope this helps

 

Reply
Solved! Jump to solution

genesiusj
Builder
‎04-06-2021 02:36 PM

@bowesmana 

That was PERFECT!

While I have made lookup defs before, I never used them. I didn't know that the def could be used in place of the file name in the lookup command. I understood about the WILDCARD and my lookup included *ANGEL*, etc.

Thanks and God bless,
Genesius

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...