How can I search using an inputlookp with wildcard...

humanBeing · ‎06-24-2022

I'm trying to search for a string from a lookup table that has wildcards and spaces.

For example, if I have a field named firewall_string_field that has the following value:

random text randomtext random My File Name With Spaces.doc random randomrandom

My lookup table named my_special_lookup.csv

Field1

"*My File Name With Spaces.doc*"

"*Second File Name With Spaces.doc*"

My query looks like:

index=firewall [|inputlookup my_special_lookup.csv | fields Field1 | rename Field1 AS firewall_string_field]

I get no results.

I get results if I do a simple search like:

index=firewall firewall_string_field="*My File Name With Spaces.doc*"

I tried creating a lookup definition with matchtype WILDCARD(Field1) but am still getting no results.

marysan · ‎05-31-2024

@humanBeing
If your problem is resolved, then please click one of the "Accept as Solution" buttons to help future readers. 🙂

marysan · ‎06-24-2022

this must work :
index=firewall
|lookup my_special_lookup.csv Field1 as firewall_string_field

richgalloway · ‎06-24-2022

When troubleshooting queries containing subsearches it helps to start with the subsearch alone and add the |format command on the end. This will show what the subsearch is returning to the main search and (hopefully) give a clue about what should be changed to get the desired results. In this case, simply adding the format command should do it.

index=firewall [
  | inputlookup my_special_lookup.csv 
  | fields Field1 
  | rename Field1 AS firewall_string_field 
  | format
]

---
If this reply helps you, Karma would be appreciated.

How can I search using an inputlookp with wildcards and spaces?

Other

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services