Re: How can I search using an inputlookp with wild...

humanBeing · ‎06-24-2022

I'm trying to search for a string from a lookup table that has wildcards and spaces.

For example, if I have a field named firewall_string_field that has the following value:

random text randomtext random My File Name With Spaces.doc random randomrandom

My lookup table named my_special_lookup.csv

Field1

"*My File Name With Spaces.doc*"

"*Second File Name With Spaces.doc*"

My query looks like:
index=firewall [|inputlookup my_special_lookup.csv | fields Field1 | rename Field1 AS firewall_string_field]

I get no results.

I get results if I do a simple search like:
index=firewall firewall_string_field="*My File Name With Spaces.doc*"

I tried creating a lookup definition with matchtype WILDCARD(Field1) but am still getting no results.

marysan · ‎06-24-2022

this must work :
index=firewall
|lookup my_special_lookup.csv Field1 as firewall_string_field

richgalloway · ‎06-24-2022

When troubleshooting queries containing subsearches it helps to start with the subsearch alone and add the |format command on the end. This will show what the subsearch is returning to the main search and (hopefully) give a clue about what should be changed to get the desired results. In this case, simply adding the format command should do it.

index=firewall [
  | inputlookup my_special_lookup.csv 
  | fields Field1 
  | rename Field1 AS firewall_string_field 
  | format
]

---
If this reply helps you, Karma would be appreciated.

How can I search using an inputlookp with wildcards and spaces?

other

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio