Splunk Cloud Platform

Use Wildcards, 'contains' or 'like' on lookup table - Splunk Cloud


If I have a lookup table that contains the following:

Unable to find any company of ID,P2
500 Internal Server Error,P1

 And result query with fields:

  • 500 Internal Server Error: {xxx}
  • Unable to find any company of ID: xxx

Using the below query only brings back direct matches:

<search query>
| lookup _error_message_prority error AS ErrorMessage OUTPUTNEW Priority AS Priority

Is there a way to use wildcards, 'like' or 'contains' when using lookup tables in Splunk Cloud?

Labels (1)
0 Karma


Yes, lookups can support wildcards.  Go to Settings->Lookups->Lookup definitions and edit the lookup.  Tick the "Advanced options" box and enter WILDCARD(error) in the "Match type" box.  Then it's up to the lookup file to have wildcards in the appropriate places.

If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...