Solved: Can I use catch alls (wildcards) in Splunk lookups...

mark_cet · ‎09-06-2022

We have alert events coming into Splunk & Splunk ITSI that we open Service Now incidents for, but depending on the event contents the incident will need to be routed to different teams.

An example scenario is, if the alert comes from server A then set the Service Now assignment group to team A, alerts from all other servers should go to team B.

We will have many of these scenarios in our environment, what is the best way to do this?

Thanks in advance!

yuanliu · ‎09-07-2022

Ah, for that, you want to use case function instead of nesting if()s. (Yes, you can nest to your heart's content.)

View solution in original post

yuanliu · ‎09-07-2022

I think you are looking for the if function, not a wildcard solution.

Suppose you have a lookup table ServiceNowAssign like the following

Server	Team
A	Team A

You can set up a search like this

(your alert condition)
| lookup ServiceNowAssign Server
| eval assignTo = if(isnull(Team), "Team B", Team)

mark_cet · ‎09-07-2022

Thanks Yuanliu.

Can the IF function be nested in the event we have multiple conditions?

Regards,

Mark

yuanliu · ‎09-07-2022

Ah, for that, you want to use case function instead of nesting if()s. (Yes, you can nest to your heart's content.)

mark_cet · ‎09-08-2022

Thanks again yuanliu!

Can I use catch alls (wildcards) in Splunk lookups if an exact match is not found?

Mastering Data Pipelines: Unlocking Value with Splunk

The Latest Cisco Integrations With Splunk Platform!

AI Adoption Hub Launch | Curated Resources to Get Started with AI in Splunk