Archive

Splunk Lookup - Wildcard * match, How to add strict equality check?

New Member

I have a below lookup table. I want to match API_URL in my splunk query. The Actual results which i am getting from my query is -

Actual Result
API_URL
api/Company/Google/Product/PixlePhone1
api/Company/Google/Product/PixlePhone2

If i use below lookup table query then i am getting 4 records instead of 2. Because both the queries are matching with WILDCHARD(*) character. I don't know how to use regex in lookup. Is something better option i can try out?

Lookup
ModuleName, API_URL, Description
Producer, api/Company/*, Company Details
Producer, api/Company/*/Product/* , Product Details

Using below Splunk query to get the result -

index=ctos* "Properties.applicationname"="MES Web API"

| dedup Properties.HttpRequestId
| lookup ctos
screenusageapilookup APIURL OUTPUT ModuleName,Description
| table ModuleName,Description, APIURL
| stats count(API
URL) as "UsageCount" by Description

Expected Result -

Description UsageCount
Product Details 2

Your help will be greatly appreciated. Thanks in advance !!

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

You have a few options.

  1. You could move those to separate lookups and use the one relevant to your use case only, making it more flexible (vendors vs. products)
  2. You could simply drop the extra events you don't want in this particular case
  3. You could use max_matches in your lookup configuration to control how many lookup entries can match to supplied values in file-order. See https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Addfieldmatchingrulestoyourlookupconfig....

I'm assuming here that "Product Details" and "Company Details" are placeholder for more detailed information in your example.

0 Karma

New Member

Thanks for your reply ! I forgot to that Actual Results may vary it can be like -

Actual Result
API_URL
api/Company/Google/Product/PixlePhone1
api/Company/Google/Product/PixlePhone2
api/Company/Google
api/Company/Microsoft

Expected Result Will be -
Description UsageCount
Product Details 2
Company Details 2

0 Karma

Splunk Employee
Splunk Employee

So, did my answer help you?

Personally, I would change the lookup to list companies and products separately with their relevant additional details, extract those from API_URL using field extract configurations or the rex command and then do the lookups.

I don't know of a way to use wildcards and still force an exact match besides what I mentioned already.

0 Karma

New Member

Thanks rex solution worked for me. Can you help me how to add FieldName or Eval in rex parameter?

Example -
| rex mode=sed field=HttpRequestPath $RegexString$

I am getting below error -
Error in 'rex' command: Failed to initialize sed. cannot find sed command:

0 Karma

Splunk Employee
Splunk Employee

You can't use a variable as the regex parameter in the rex command.

There are alternatives using map and sub-searches mentioned in various Splunk Answers post for which you can search if you want to go that route.

Here's an example: https://answers.splunk.com/answers/386488/regex-in-lookuptable.html

But, do you really need to?

Also, why use sed mode here? Don't you want to simply extract the product and company values?

For example:

| rex field=API_URL "api\/Company\/(?<company>.*?)(\/Product\/|$)(?<product>.*)"

BTW, https://regex101.com/ is a great resource to work with and test your regexes.

0 Karma