Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I search using an inputlookp with wildcards and spaces?

humanBeing
Engager
‎06-24-2022 11:30 AM

I'm trying to search for a string from a lookup table that has wildcards and spaces.  

For example, if I have a field named firewall_string_field that has the following value:

random text randomtext random My File Name With Spaces.doc random randomrandom

My lookup table named my_special_lookup.csv

Field1
"*My File Name With Spaces.doc*"
"*Second File Name With Spaces.doc*"

 

My query looks like:

index=firewall [|inputlookup my_special_lookup.csv | fields Field1 | rename Field1 AS firewall_string_field]


I get no results.  

I get results if I do a simple search like:

index=firewall firewall_string_field="*My File Name With Spaces.doc*"


I tried creating a lookup definition with matchtype WILDCARD(Field1) but am still getting no results.  

0 Karma
Reply

marysan
Communicator
‎05-31-2024 08:40 AM

@humanBeing 
If your problem is resolved, then please click one of the "Accept as Solution" buttons to help future readers. 🙂

0 Karma
Reply

marysan
Communicator
‎06-24-2022 10:23 PM

this must work :
index=firewall
|lookup my_special_lookup.csv  Field1 as firewall_string_field


Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-24-2022 11:46 AM

When troubleshooting queries containing subsearches it helps to start with the subsearch alone and add the |format command on the end.  This will show what the subsearch is returning to the main search and (hopefully) give a clue about what should be changed to get the desired results.  In this case, simply adding the format command should do it.

index=firewall [
  | inputlookup my_special_lookup.csv 
  | fields Field1 
  | rename Field1 AS firewall_string_field 
  | format
]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...