Splunk Search

Can we use wildcard characters in a lookup table?

Motivator

Can I create a lookup table with wildcard character *?

I have a lookup like

input,output
user*,USERNAME

so anything that comes like user or user1 or username will match user* and output USERNAME.

1 Solution

Legend

You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.

So something like this in props.conf:

[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username

And in transforms.conf:

[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)

And finally your userlookup.csv:

user,username
user*,USERNAME

You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".

View solution in original post

Path Finder

thanks. how is this configured in GUI? As I'm doing everything in GUI so far...,

Explorer

It looks like as of at least Splunk Version 7.0.3.4 if you go into Lookups -> Lookup definitions and select the "Advanced options" checkbox there's now a Match type field. I just added "WILDCARD(fieldname)" there and it worked.

0 Karma

New Member

this is printing out all the events. even if its not matching the wildcard? any reason why ?

0 Karma

SplunkTrust
SplunkTrust

When you have a similar situation to an old question, please post a new question with a link to the old one and with the specifics of your current situation. That will get you more, better, faster results from the community, as opposed to posting comments or answers on an older question (especially one which has been marked "answered" for LITERALLY years).

Legend

You certainly can. Use the match_type in transforms.conf to specify the field you want to match on as a wildcard, then populate your lookup table just like you've planned to.

So something like this in props.conf:

[yoursourcetype]
LOOKUP-user = userlookup user OUTPUT username

And in transforms.conf:

[userlookup]
filename = userlookup.csv
match_type = WILDCARD(user)

And finally your userlookup.csv:

user,username
user*,USERNAME

You now should be seeing USERNAME whenever the user field has a value of something beginning with "user".

View solution in original post

New Member

I dont have access to transforms.conf. is there anyway we can do this using normal search query ?

0 Karma

Builder

I know this thread is old, but I'm trying to the same thing and am stuck. I've followed the instructions but something doesn't make sense to me. Here are my configurations:

props.conf

[mysourcetype]
LOOKUP-sector = sectorlookup "Lookup Field" OUTPUT Sector

transforms.conf

[sectorlookup]
filename = L_Sectors.csv
match_type = WILDCARD("Lookup Field")

L_Sectors.csv

"Lookup Field","Sector"
"A1-A2-A3*","Sector1"
"B1-B2-B3-B4*","Sector2"
"C1-C2-C3*","Sector3"
"D1-D2-D3-D4-D5*","Sector4"

My question is: how do I structure the lookup command? Right now I have

* | lookup L_Sectors.csv "Lookup Field" OUTPUT Sector | table "Lookup Field", Sector

but I'm not getting results. Am I doing the search correctly?

0 Karma

Communicator

FYI - the props.conf addition is not required unless you require an automatic lookup.

Just to expand on the lookup command you have proposed - I will include the default functions which are implied by your command above:

I will rewrite your command above with annotations to point out notable issues:

lookup L_Sectors.csv**(1)** "Lookup Field" **(2)** OUTPUT Sector**(3)** | table "Lookup Field", Sector

(1) You need to invoke the stanza which you have defined which would be:
lookup sectorlookup etc

(2) The syntax for the lookup command is:
lookup < lookup-table-name > < lookup-field1 > AS < event-field1 >

If you do not specify an < event-field > then it will default to lookup an event field with the same name as the < lookup-field >

(3) Note - if you have a field named Sector already this will will be overwritten.

0 Karma

Champion

The props/transforms is required to enable wildcard lookup against the "lookup field". I suspect the "lookup field" need to be "lookup_field". Don't believe that spaces are allowed in field names and may be breaking this.

0 Karma