Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How are values in lookups matched?

gkanapathy
Splunk Employee
Splunk Employee
‎03-17-2010 09:19 PM

When a field value is passed to a lookup, what are the limits on how it can match the value in the lookup? Specifically:

  • Is the match case-sensitive? If not, what locale rules are used? Similarly, is it diacritic-sensitive?
  • Are any kinds of wildcards allowed? Can I use, e.g., * or Prefix-* in a lookup table and expect it to match an event field value like Prefix-1?
Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Jason
Motivator
‎07-13-2012 09:45 AM

As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:

case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should be specified in this list

case_sensitive_match applies to all fields in the lookup.

What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.

View solution in original post

Reply
Solved! Jump to solution
Solution

Jason
Motivator
‎07-13-2012 09:45 AM

As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:

case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should be specified in this list

case_sensitive_match applies to all fields in the lookup.

What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.

Reply
Solved! Jump to solution

bsayatovic
Path Finder
‎02-25-2013 10:38 AM

What about a prefixed wildcard instead of suffix? e.g. will a lookup file with a "*bar" line in it, match_type = WILDCARD(field1) match "foobar"? I've tried this but can't get it to work, but maybe I've done something else wrong.

Reply
Solved! Jump to solution

sinvin
Engager
‎09-30-2021 12:16 PM

Hey @bsayatovic ,
Did you happen to find a solution for the prefix wildcard? I am running into same issue, so wondering if you found a way around it.

0 Karma
Reply
Solved! Jump to solution

steveyz
Splunk Employee
Splunk Employee
‎04-08-2010 05:33 PM

Matches are case sensitive as well as diacritic-sensitive.

No wildcards are allowed at this time.

Reply
Solved! Jump to solution

lguinn2
Legend
‎07-26-2012 11:42 AM

This is true by default, but you can now change this to some degree.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...