Can you help me with my wildcard search in a looku...

swetar · ‎12-03-2018

Hi ,

I have created a csv lookup and wanted to perform wild card search on it. Is it possible?
lookup name # Inputlookup value.csv

Can anyone please suggest me on it.

Thanks in advance.
swetar

HiroshiSatoh · ‎12-03-2018

It can not be set in GUI when wild card is used. You need to edit the configuration file.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

tom_frotscher · ‎12-03-2018

Hi,

can you provide a little bit more context? How do you want to search on the lookup? Do you have a search example?

You can always use
| inputlookup value.csv | search foo=*

or you can use the where clause directly in the inputlookup command, which is better for performance:
| inputlookup value.csv where foo > 0

You can find more examples in the inputlookup documentation:
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Inputlookup

Greetings

Tom

swetar · ‎12-03-2018

Thank you for your reply.
I wanted to use in the below way. I dont want to specify the column name
inputlookup value.csv| search "wildcharater"

tom_frotscher · ‎12-03-2018

You can not search in the lookup file without specifying a field. A lookup does not run through the indexing pipeline and therefore isnt tokenized and does not have a_raw field for example, therefore you can not search just for text.

But if your csv file has timestamps, you can of course just index your csv file, like you would index any other data.

Can you help me with my wildcard search in a lookup?

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI