Hi,
We have a filed called BOTs which extracts all the legitimate BOTs (which have +http://.... in the user agent). I want to add the other BOTs into the same field which does not follow the standard user agent format (so they won't have +http://.. format).
I have a look up table and tried the match_type = WILDCARD(useragent) and then i have in the csv file (Look up file).
BOTs useragent
Traverse Traverse
Capture Capture
But i am not getting in the BOTs field. Any suggestions?
Assuming your props/transforms is properly configured, your csv file fields will need to include * (one or both sides of the value) in order to wildcard match.
I forgot to put asterisk in here but I do have them in my cvs file. But still not seeing them.
Assuming your props/transforms is properly configured, your csv file fields will need to include * (one or both sides of the value) in order to wildcard match.
From Manager>Lookups>Lookup Definitions or Automatic Lookups for this lookup, if you open it, and save it, the case_sensitive_property will go away in transforms.conf.
I have found a way to make sure the case_sensitive_match=false is not reset. In transforms.conf add the stanza to the [default] level. Howver, this will effect all lookups in that transforms.conf
Do you have a sample of your current lookup file? It needs to be a comma delimited csv file with wildcard (*).
To see the output, type in search UI, " | inputlookup BOTs.csv "
Also, make sure that the lookup file exists in ~/etc/system/lookups/ OR ~/etc/apps/search/lookups/ and has read permission properly set.
Hi, i have added that but still i don't see data
[BOTs]
filename = BOTs.csv
case_sensitive_match=false
match_type = WILDCARD(User_Agent)
Thank you. I will try this. Can you elaborate on "it needs to be reset after every splunk_web lookup update/save"
You might need to add:
case_sensitive_match = false
to the transforms.conf stanza for this input.
The problem with this attribute is it needs to be reset after every splunk_web lookup update/save.