Hi all,

Apologies for the vague title, I have a lookup problem that I need help with, so any help is greatly appreciated.

I have a .CSV file containing a single field named 'high_risk_keywords' that I wish to use to help filter search results. My web filter logs are plugged into Splunk with SSL decrpytion enabled so I am able to pull out keywords from Google, Bing, Yahoo and YouTube using callouts

I'm currently using the following search to do this:

index=webfilter url="*bing*" [| inputlookup high_risk_words.csv | fields high_risk_words | rename high_risk_words as bing_callout | eval bing_callout="*"+bing_callout+"*"] | stats count by bing_callout, src, user | sort by -count

If the user searched the word 'Ferrari', I get results like:

ferrari
how+to+build+a+ferrari
ferarri%20
etc...

Instead of having 4 x search results with 1 x count, I would like to have 4 x hits for the word 'ferrari'. Is there a way to achieve this where the entry for 'ferrari' not only includes an exact match, that it also includes variations as shown above?

I've tried editing:

eval bing_callout="*"+bing_callout+"*"]

to 

eval bing_callout=bing_callout]

but this only includes exact matches for the word 'ferrari' and terms like 'how+to+build+a+ferarri' get missed.

I hope this all makes sense, any help would be really really appreciated!

Thank you 🙂