Solved: Re: Displaying 'Unknown' when Lookup fail to find ... - Splunk Community

Splunk Search

I have an Automatic Lookup working just fine.
Some of the values Im matching doesn't exist yet on the CSV table (they are populated once a day).
Is there any way to display UNKNOWN as a value for the field when the lookup doesnt exist on the table?
For example, if my csv lookup table looks like:
Name -- SSN

And Sometimes I dont have the Name for a SSN until the next day, so I need to mark the field as 'Unknown' when the search returns a SSN that I dont have match for the name yet.

Thanks!

1 Solution

Solution

Manager >> Lookups >> Lookup Definition >>

check the advanced options checkbox

In the Minimum matches text box add:
1

In the Default matches text box add:
UNKNOWN

then save

View solution in original post

Solution

Manager >> Lookups >> Lookup Definition >>

check the advanced options checkbox

In the Minimum matches text box add:
1

In the Default matches text box add:
UNKNOWN

then save

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...