Splunk Lookup - Wildcard * match, How to add stric...

a6brtzz · ‎02-04-2019

I have a below lookup table. I want to match API_URL in my splunk query. The Actual results which i am getting from my query is -

Actual Result
API_URL
api/Company/Google/Product/PixlePhone1
api/Company/Google/Product/PixlePhone2

If i use below lookup table query then i am getting 4 records instead of 2. Because both the queries are matching with WILDCHARD(*) character. I don't know how to use regex in lookup. Is something better option i can try out?

Lookup
ModuleName, API_URL, Description
Producer, api/Company/*, Company Details
Producer, api/Company/*/Product/* , Product Details

Using below Splunk query to get the result -

index=ctos* "Properties.applicationname"="MES Web API"

| dedup Properties.Http_RequestId
| lookup ctos_screen_usage_api_lookup API_URL OUTPUT ModuleName,Description
| table ModuleName,Description, API_URL
| stats count(API_URL) as "UsageCount" by Description

Expected Result -

Description UsageCount
Product Details 2

Your help will be greatly appreciated. Thanks in advance !!

ccl0utier · ‎02-04-2019

You have a few options.

You could move those to separate lookups and use the one relevant to your use case only, making it more flexible (vendors vs. products)
You could simply drop the extra events you don't want in this particular case
You could use max_matches in your lookup configuration to control how many lookup entries can match to supplied values in file-order. See https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Addfieldmatchingrulestoyourlookupconfig....

I'm assuming here that "Product Details" and "Company Details" are placeholder for more detailed information in your example.

a6brtzz · ‎02-04-2019

Thanks for your reply ! I forgot to that Actual Results may vary it can be like -

Actual Result
API_URL
api/Company/Google/Product/PixlePhone1
api/Company/Google/Product/PixlePhone2
api/Company/Google
api/Company/Microsoft

Expected Result Will be -
Description UsageCount
Product Details 2
Company Details 2

ccl0utier · ‎02-05-2019

So, did my answer help you?

Personally, I would change the lookup to list companies and products separately with their relevant additional details, extract those from API_URL using field extract configurations or the rex command and then do the lookups.

I don't know of a way to use wildcards and still force an exact match besides what I mentioned already.

a6brtzz · ‎02-05-2019

Thanks rex solution worked for me. Can you help me how to add FieldName or Eval in rex parameter?

Example -
| rex mode=sed field=Http_Request_Path $RegexString$

I am getting below error -
Error in 'rex' command: Failed to initialize sed. cannot find sed command:

ccl0utier · ‎02-06-2019

You can't use a variable as the regex parameter in the rex command.

There are alternatives using map and sub-searches mentioned in various Splunk Answers post for which you can search if you want to go that route.

Here's an example: https://answers.splunk.com/answers/386488/regex-in-lookuptable.html

But, do you really need to?

Also, why use sed mode here? Don't you want to simply extract the product and company values?

For example:

| rex field=API_URL "api\/Company\/(?<company>.*?)(\/Product\/|$)(?<product>.*)"

BTW, https://regex101.com/ is a great resource to work with and test your regexes.

Splunk Lookup - Wildcard * match, How to add strict equality check?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!