Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I match values with different file extensions in a lookup?

user93
Communicator
‎02-12-2019 07:38 AM

I have a lookup table, but the match is not exact to the relevant indexed field.

The field that is indexed has string.extension and the lookup table has string.extension. The strings match but the extensions do not. I want to output a new field from the lookup table where the strings match.

index=server host=relevant sourcetype=stats topic!=abc.htm | top topic by product limit=3 | lookup "topic name" base as topic OUTPUT title

My title field is empty. How do I make the near match work, or at least ignore the file extensions? I have some limitations as a user and I'm not able to upload or modify the lookup table.

Thanks for any help. I'm brand new to Splunk. Love the product, but still brand new.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Vijeta
Influencer
‎02-12-2019 09:58 AM

Try this-

index=server host=relevant sourcetype=stats topic!=abc.htm | top topic by product limit=3 |rex field=topic "(?<string>\w+)"|join string|[|inputlookup "topic name" |rex field=base "(?<string>\w+)"]

View solution in original post

Reply
Solved! Jump to solution
Solution

Vijeta
Influencer
‎02-12-2019 09:58 AM

Try this-

index=server host=relevant sourcetype=stats topic!=abc.htm | top topic by product limit=3 |rex field=topic "(?<string>\w+)"|join string|[|inputlookup "topic name" |rex field=base "(?<string>\w+)"]
Reply
Solved! Jump to solution

user93
Communicator
‎02-12-2019 11:30 AM

This is really great, but did not work immidiately. The regex works, but I get an error that subsearches are only valid as commands.

I tested the rex command with: |inputlookup "topic name" | rex field=basename "(?\w+)"

I get the desired output for the rex command with the string added as a new field without the extension. Now I just have to join the two without the error. Thanks for helping me on the right track. I'll continue trying and report back if I have success.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-12-2019 11:38 AM

@user93 There was an extra | in my previous search after join use this-

index=server host=relevant sourcetype=stats topic!=abc.htm | top topic by product limit=3 |rex field=topic "(?<string>\w+)"|join string[|inputlookup "topic name" |rex field=base "(?<string>\w+)"]
0 Karma
Reply
Solved! Jump to solution

user93
Communicator
‎02-12-2019 11:59 AM

Don't know how I missed it too 🙂

Thank you so much. This worked perfectly 🙂

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎02-12-2019 12:00 PM

@user93 Great! Please accept the answer if your problem is solved.

0 Karma
Reply
Solved! Jump to solution

user93
Communicator
‎02-12-2019 12:12 PM

Ok! Answer accepted. Thank you again.

I have a new problem I'm working on now. Some of the items in the table seem to be disappearing if they don't have a match in the table. This one though, I think with enough effort I can figure out.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...