- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can we use wildcard characters in a lookup table?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.
So something like this in props.conf:
[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username
And in transforms.conf:
[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)
And finally your userlookup.csv:
user,username
user*,USERNAME
You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. how is this configured in GUI? As I'm doing everything in GUI so far...,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It looks like as of at least Splunk Version 7.0.3.4 if you go into Lookups -> Lookup definitions and select the "Advanced options" checkbox there's now a Match type field. I just added "WILDCARD(fieldname)" there and it worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this is printing out all the events. even if its not matching the wildcard? any reason why ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you have a similar situation to an old question, please post a new question with a link to the old one and with the specifics of your current situation. That will get you more, better, faster results from the community, as opposed to posting comments or answers on an older question (especially one which has been marked "answered" for LITERALLY years).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.
So something like this in props.conf:
[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username
And in transforms.conf:
[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)
And finally your userlookup.csv:
user,username
user*,USERNAME
You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont have access to transforms.conf. is there anyway we can do this using normal search query ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this thread is old, but I'm trying to the same thing and am stuck. I've followed the instructions but something doesn't make sense to me. Here are my configurations:
props.conf
[mysourcetype]
LOOKUP-sector = sectorlookup "Lookup Field" OUTPUT Sector
transforms.conf
[sectorlookup]
filename = L_Sectors.csv
match_type = WILDCARD("Lookup Field")
L_Sectors.csv
"Lookup Field","Sector"
"A1-A2-A3*","Sector1"
"B1-B2-B3-B4*","Sector2"
"C1-C2-C3*","Sector3"
"D1-D2-D3-D4-D5*","Sector4"
My question is: how do I structure the lookup command? Right now I have
* | lookup L_Sectors.csv "Lookup Field" OUTPUT Sector | table "Lookup Field", Sector
but I'm not getting results. Am I doing the search correctly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FYI - the props.conf addition is not required unless you require an automatic lookup.
Just to expand on the lookup command you have proposed - I will include the default functions which are implied by your command above:
I will rewrite your command above with annotations to point out notable issues:
lookup L_Sectors.csv**(1)** "Lookup Field" **(2)** OUTPUT Sector**(3)** | table "Lookup Field", Sector
(1) You need to invoke the stanza which you have defined which would be:
lookup sectorlookup etc
(2) The syntax for the lookup command is:
lookup < lookup-table-name > < lookup-field1 > AS < event-field1 >
If you do not specify an < event-field > then it will default to lookup an event field with the same name as the < lookup-field >
(3) Note - if you have a field named Sector already this will will be overwritten.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The props/transforms is required to enable wildcard lookup against the "lookup field". I suspect the "lookup field" need to be "lookup_field". Don't believe that spaces are allowed in field names and may be breaking this.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
