I have a below lookup table. I want to match API_URL in my splunk query. The Actual results which i am getting from my query is -
If i use below lookup table query then i am getting 4 records instead of 2. Because both the queries are matching with WILDCHARD(*) character. I don't know how to use regex in lookup. Is something better option i can try out?
ModuleName, API_URL, Description
Producer, api/Company/*, Company Details
Producer, api/Company/*/Product/* , Product Details
Using below Splunk query to get the result -
index=ctos* "Properties.applicationname"="MES Web API"
| dedup Properties.Http_RequestId
| lookup ctos_screen_usage_api_lookup API_URL OUTPUT ModuleName,Description
| table ModuleName,Description, API_URL
| stats count(API_URL) as "UsageCount" by Description
Expected Result -
Product Details 2
Your help will be greatly appreciated. Thanks in advance !!
You have a few options.
max_matchesin your lookup configuration to control how many lookup entries can match to supplied values in file-order. See https://docs.splunk.com/Documentation/Splunk/7.2.3/Knowledge/Addfieldmatchingrulestoyourlookupconfig....
I'm assuming here that "Product Details" and "Company Details" are placeholder for more detailed information in your example.
Thanks for your reply ! I forgot to that Actual Results may vary it can be like -
Expected Result Will be -
Product Details 2
Company Details 2
So, did my answer help you?
Personally, I would change the lookup to list companies and products separately with their relevant additional details, extract those from API_URL using field extract configurations or the
rex command and then do the lookups.
I don't know of a way to use wildcards and still force an exact match besides what I mentioned already.
rex solution worked for me. Can you help me how to add FieldName or Eval in rex parameter?
| rex mode=sed field=Http_Request_Path $RegexString$
I am getting below error -
Error in 'rex' command: Failed to initialize sed. cannot find sed command:
You can't use a variable as the regex parameter in the rex command.
There are alternatives using
map and sub-searches mentioned in various Splunk Answers post for which you can search if you want to go that route.
Here's an example: https://answers.splunk.com/answers/386488/regex-in-lookuptable.html
But, do you really need to?
Also, why use
sed mode here? Don't you want to simply extract the
| rex field=API_URL "api\/Company\/(?<company>.*?)(\/Product\/|$)(?<product>.*)"
BTW, https://regex101.com/ is a great resource to work with and test your regexes.