Splunk Search

Can we use wildcard characters in a lookup table?

rakesh_498115
Motivator

Can I create a lookup table with wildcard character *?

I have a lookup like

input,output
user*,USERNAME

so anything that comes like user or user1 or username will match user* and output USERNAME.

1 Solution

Ayn
Legend

You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.

So something like this in props.conf:

[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username

And in transforms.conf:

[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)

And finally your userlookup.csv:

user,username
user*,USERNAME

You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".

View solution in original post

leonjxtan
Path Finder

thanks. how is this configured in GUI? As I'm doing everything in GUI so far...,

tmcmaster
Explorer

It looks like as of at least Splunk Version 7.0.3.4 if you go into Lookups -> Lookup definitions and select the "Advanced options" checkbox there's now a Match type field. I just added "WILDCARD(fieldname)" there and it worked.

VARWIZ
New Member

this is printing out all the events. even if its not matching the wildcard? any reason why ?

0 Karma

DalJeanis
Legend

When you have a similar situation to an old question, please post a new question with a link to the old one and with the specifics of your current situation. That will get you more, better, faster results from the community, as opposed to posting comments or answers on an older question (especially one which has been marked "answered" for LITERALLY years).

Ayn
Legend

You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.

So something like this in props.conf:

[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username

And in transforms.conf:

[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)

And finally your userlookup.csv:

user,username
user*,USERNAME

You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".

VARWIZ
New Member

I dont have access to transforms.conf. is there anyway we can do this using normal search query ?

0 Karma

andrewtrobec
Motivator

I know this thread is old, but I'm trying to the same thing and am stuck. I've followed the instructions but something doesn't make sense to me. Here are my configurations:

props.conf

[mysourcetype]
LOOKUP-sector = sectorlookup "Lookup Field" OUTPUT Sector

transforms.conf

[sectorlookup]
filename = L_Sectors.csv
match_type = WILDCARD("Lookup Field")

L_Sectors.csv

"Lookup Field","Sector"
"A1-A2-A3*","Sector1"
"B1-B2-B3-B4*","Sector2"
"C1-C2-C3*","Sector3"
"D1-D2-D3-D4-D5*","Sector4"

My question is: how do I structure the lookup command? Right now I have

* | lookup L_Sectors.csv "Lookup Field" OUTPUT Sector | table "Lookup Field", Sector

but I'm not getting results. Am I doing the search correctly?

0 Karma

alexandermunce
Communicator

FYI - the props.conf addition is not required unless you require an automatic lookup.

Just to expand on the lookup command you have proposed - I will include the default functions which are implied by your command above:

I will rewrite your command above with annotations to point out notable issues:

lookup L_Sectors.csv**(1)** "Lookup Field" **(2)** OUTPUT Sector**(3)** | table "Lookup Field", Sector

(1) You need to invoke the stanza which you have defined which would be:
lookup sectorlookup etc

(2) The syntax for the lookup command is:
lookup < lookup-table-name > < lookup-field1 > AS < event-field1 >

If you do not specify an < event-field > then it will default to lookup an event field with the same name as the < lookup-field >

(3) Note - if you have a field named Sector already this will will be overwritten.

0 Karma

the_wolverine
Champion

The props/transforms is required to enable wildcard lookup against the "lookup field". I suspect the "lookup field" need to be "lookup_field". Don't believe that spaces are allowed in field names and may be breaking this.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...