How to use a lookup with wildcard based fields to ...

DrFedtke · ‎01-04-2016

Hi all.

My scenario is:

1) lookup table with fields 3 fields

msgId,msg,critical
SHK5*,*BLABLABLA*,yes

2) events/incidents should be enriched with the field critical in
case BOTH fields of the lookup table (msgId and msg) are matching
(i.e. both are AND-related, not OR-related)

for example, the message

SHKI5544 BLABLABLA should match, but
SHKI5544 LALALALA not

my props.conf:

[sf_splunk_assessment]
...
LOOKUP-assessmentOperationProblem = assessment_lookup_operation_problem msgId , msg

my transforms.conf:

...
[assessment_lookup_operation_problem]
filename = Operation_Problem_Detection.csv
match_type = WILDCARD(msgId,msg)
max_matches=2
min_matches=1
default_match=---
case_sensitive_match=false

======================

But it does not work.

Then I have a problem to exactly understand "max_matches":
Does this value refer to a lookup given by both and related values, or does each one, msg and msgId, counts +1?

And in general, how does max_matches > 1 work? Will the looked-up value become part of any subsequent lookup? or does the lookup process always use the original value?

Thanks for any feedback.

best
stephen

thirumalreddyb · ‎01-04-2016

your search query with data ..... | lookup msgId msg OUTPUT critical

How to use a lookup with wildcard based fields to search for matching field combinations?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?