Please any help will be appreciated.
We have a lookup test_pci_asset.csv with a field nt_host
values of nt_host are host1 host2
Raw log in splunk host fields are host1.abc.com
We are trying to use automatic lookup to match the host field so when we run a query it can pull back host1.abc.com as host.
We tried the following with WILDCARD(nt_host) but no luck. Props and transforms below
props.conf
[default]
LOOKUP-test_pci_asset.csv = test_pci_asset nt_host AS host OUTPUTNEW bunit category city ip owner
transforms.conf
[test_pci_asset]
batch_index_query = 0
case_sensitive_match = 0
filename = test_pci_asset.csv
match_type = WILDCARD(nt_host)
Your lookup needs to contain the wildcard.
Enter the hosts in your lookup file as host1*, host2*
You cannot get features of a lookup definition if you reference the filename.csv. Create the lookup definition then use that name in the lookup command.
Your lookup needs to contain the wildcard.
Enter the hosts in your lookup file as host1*, host2*
Thank you @nickhills
|inputlookup pci_asset_lists.csv | eval nt_host=nt_host."*" | outputlookup pci_asset_lists.cs
I added * to the nt_host list with tquery above and still not working. Any ideas why?
Actually i had to wait for a while. Its working. thanks
|inputlookup pci_asset_lists.csv | eval nt_host=nt_host."*" | outputlookup pci_asset_lists.csv
sorry mistake in previous query
You need to use the lookup definition. You can not use a CSV file directly for a wildcard search.
Test it works like this:
<your search> |lookup test_pci_asset nt_host as host OUTPUTNEW bunit category city ip owner
also - check the lookup is as you expect:
|inputlookup test_pci_asset
do the hotsnames include *