Splunk Search

Can I join a data model with a lookup using a wildcard character (*)?

Motivator

Hi

I have an issues where I am joining a Data-model with a lookup table and its working very well.
We are looking to extend the usability to add a wild-character * into the lookup . So in the lookup we don't have to keep adding in the full string name, we can add in part of it then * [For Example XYZ*]

One table is Datamodel

Context_Command
NULL#NULL
cancel#Exit
Dealinput#Eventslist
SessionCreate#MXODR
DictionaryManager#NULL

Seconds Table Lookup is smaller a sub set
Context_Command
NULL#NULL
cancel#Exit
SessionCreate#MXODR

Proposed Second Table (With Wilde characters)
NULL*
cancel#Ex*
SessionC*

Current code that i have
| join Context+Command type=left [inputlookup TESTMXTIMING.csv | rename ContextCommand AS Context+Command ]

Any help would be brill : )

0 Karma
1 Solution

SplunkTrust
SplunkTrust

First, for your current implementation, I would get away from using join and use lookup command instead like this

your data model search
| lookup TEST_MXTIMING.csv Context_Command AS "Context+Command"

For using wildcard in lookup matching, YOu would need to configure a lookup definition for your lookup table with match_type as wildcard. See this link for how to implement the same.
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

Once you've a lookup definition, your query should look like this

your data model search
| lookup YourLookupDefinitionName Context_Command AS "Context+Command"

FYR, these would the configuration changes for your lookup definition

All changes in Search Head(s)

transforms.conf:

 [TEST_MXTIMING]
 filename = TEST_MXTIMING.csv
 match_type = WILDCARD(Context_Command)

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

First, for your current implementation, I would get away from using join and use lookup command instead like this

your data model search
| lookup TEST_MXTIMING.csv Context_Command AS "Context+Command"

For using wildcard in lookup matching, YOu would need to configure a lookup definition for your lookup table with match_type as wildcard. See this link for how to implement the same.
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

Once you've a lookup definition, your query should look like this

your data model search
| lookup YourLookupDefinitionName Context_Command AS "Context+Command"

FYR, these would the configuration changes for your lookup definition

All changes in Search Head(s)

transforms.conf:

 [TEST_MXTIMING]
 filename = TEST_MXTIMING.csv
 match_type = WILDCARD(Context_Command)

View solution in original post

0 Karma

Motivator

Thanks for the answer for the most part this has worked, however i am not sure if what i am see it a "bug"

So i hvae replaced the Join and now i have the following

| lookup MXTIMINGlookup ContextCommand AS "Context+Command" OUTPUT Tags CC_Description Threshold

The issues is that the lookup wild characters are giving me strange answers. So Example 1 - Working

This is the look up table - I get 10 Row returned to me [As i should] It finds a match for NULL#Login and this is good
ContextCommand CCDescription Tags Alert Threshold
NULL#Login TEST2 TEST2 y 5

Then i change the lookup table to have the wild characters NUL* + NULL#Login (So perhaps the user made a mistake) [Now i only get 8 row returned to me and the 2 rows with NULL#Login are excluded]
ContextCommand CCDescription Tags Alert Threshold
NUL* TEST1 TEST2 y 5
NULL#Login TEST2 TEST2 y 5

Is there a setting i can set for this?

0 Karma