Splunk Search

Events mismatch values with lookup values

uagraw01
Motivator

Hello Splunkers!!

We have events that contains source and destination fields with complete values, and we want to match these fields against event data where the corresponding fields (source and destination) may include wildcard values in the lookup. The goal is to accurately match the event data with the appropriate lookup values, ensuring that wildcard patterns in the lookup are properly evaluated during the matching process.

uagraw01_1-1732174446045.png

Values to be match with below lookup.

uagraw01_2-1732174790327.png

What I have tried so far to match events field values with the lookup field values. But no luck found. Please give me some suggestion to execute this correctly.

| lookup movement_type_ah mark_code as mark_code destination as destination source as source OUTPUTNEW movement_type

 

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

what's the issue?

did you unflagged the checkbox for exact match in the Lookup Definition?

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

what's the issue?

did you unflagged the checkbox for exact match in the Lookup Definition?

Ciao.

Giuseppe

uagraw01
Motivator

@gcusello As per the below screenshot, I need to specify in the match_type for both the fields ?

uagraw01_0-1732175319306.png

FYI @gcusello  I have added below entries and it starts working as expected.

WILDCARD(source), WILDCARD(position), WILDCARD(destination)

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @uagraw01 ,

good for you, remember to unflag the Case sensitive match.

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated :winking_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...