Solved: How to set empty string or null value for non-matc...

dorilevy · ‎11-02-2014

Hi,

According to the document splunk should use empty string for non-matching lookup by default. Yet, when i set an automatic lookup, i can see it uses the "NONE" string by default.

I need it to be either empty string or null(). I tried setting default (in transforms.conf file) to NULL or null() but it just sets a string with that value.

Here is how my auto-lookup is set:

props.conf:
LOOKUP-check = valid_sc_users user_id

[valid_sc_users]
filename = valid_sc_users.csv
max_matches = 1
min_matches = 1
disabled = 0

Thanks You

dorilevy · ‎11-03-2014

Just found out i can set the min_matches to 0, because the output field does not exists. this way nothing will be added - and that's what i needed.

View solution in original post

dorilevy · ‎11-03-2014

Just found out i can set the min_matches to 0, because the output field does not exists. this way nothing will be added - and that's what i needed.

How to set empty string or null value for non-matched lookup items?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation