Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

match_type wildcard not working for automatic lookup

Bentash
Explorer
‎02-06-2020 12:33 PM

Please any help will be appreciated.
We have a lookup test_pci_asset.csv with a field nt_host
values of nt_host are host1 host2

Raw log in splunk host fields are host1.abc.com

We are trying to use automatic lookup to match the host field so when we run a query it can pull back host1.abc.com as host.
We tried the following with WILDCARD(nt_host) but no luck. Props and transforms below

props.conf
[default]
LOOKUP-test_pci_asset.csv = test_pci_asset nt_host AS host OUTPUTNEW bunit category city ip owner

transforms.conf
[test_pci_asset]
batch_index_query = 0
case_sensitive_match = 0
filename = test_pci_asset.csv
match_type = WILDCARD(nt_host)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-07-2020 03:52 AM

Your lookup needs to contain the wildcard.
Enter the hosts in your lookup file as host1*, host2*

If my comment helps, please give it a thumbs up!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

starcher
Influencer
‎02-07-2020 10:28 AM

You cannot get features of a lookup definition if you reference the filename.csv. Create the lookup definition then use that name in the lookup command.

0 Karma
Reply
Solved! Jump to solution
Solution

nickhills
Ultra Champion
‎02-07-2020 03:52 AM

Your lookup needs to contain the wildcard.
Enter the hosts in your lookup file as host1*, host2*

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

Bentash
Explorer
‎02-13-2020 09:57 AM

Thank you @nickhills

|inputlookup pci_asset_lists.csv | eval nt_host=nt_host."*" | outputlookup pci_asset_lists.cs
I added * to the nt_host list with tquery above and still not working. Any ideas why?

0 Karma
Reply
Solved! Jump to solution

Bentash
Explorer
‎02-13-2020 10:18 AM

Actually i had to wait for a while. Its working. thanks

0 Karma
Reply
Solved! Jump to solution

Bentash
Explorer
‎02-13-2020 10:26 AM

|inputlookup pci_asset_lists.csv | eval nt_host=nt_host."*" | outputlookup pci_asset_lists.csv

sorry mistake in previous query

0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-13-2020 10:04 AM

You need to use the lookup definition. You can not use a CSV file directly for a wildcard search.

Test it works like this:

<your search> |lookup test_pci_asset nt_host as host OUTPUTNEW bunit category city ip owner
If my comment helps, please give it a thumbs up!
0 Karma
Reply
Solved! Jump to solution

nickhills
Ultra Champion
‎02-13-2020 10:05 AM

also - check the lookup is as you expect:
|inputlookup test_pci_asset do the hotsnames include *

If my comment helps, please give it a thumbs up!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...