Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you lookup match field names by wildcard or regex?

xshen_anji
New Member
‎03-29-2019 07:08 AM

I have some customer provided CSV lookup files. These lookup files have some "similar" field names, which means they contain some common keywords. I would like do a keyword match in lookup command to these similar fields. Is there a way to do this ?

An example is:

lookup file1's title is like: population, average income, location
lookup file2's title is like: population, income, location

I would like to use the field that contains "income" as the lookup condition, how can I do this with one common lookup statement?

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 07:09 PM

You are misunderstanding the 2 different ways to use lookup files. One way is with the ... | lookup command syntax, which uses the WILDCARD() syntax (among other settings) within the Lookup definitions, the other is with the |inputlookup command syntax which DOES NOT interact with the Lookup definitions. In the latter case, just do something like this:

index=_internal [ |inputlookup hosts_reporting.csv | eval host=host + "*" ]
Reply

ddrillic
Ultra Champion
‎04-01-2019 03:54 AM

Very interesting @woodcock - thank you for the clarification.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-01-2019 01:24 PM

If you have your answer, pick one and click Accept to close the question.

Reply

ddrillic
Ultra Champion
‎04-01-2019 02:39 PM

Hi @woodcock - it's not mine - I just joined the ride ; -)

0 Karma
Reply

woodcock
Esteemed Legend
‎03-31-2019 07:03 PM

See here for how to lookup with RegEx:
https://answers.splunk.com/answers/386488/regex-in-lookuptable.html

Reply

ddrillic
Ultra Champion
‎03-30-2019 04:08 PM

According to How to use wildcard in lookup-based searches and alerts?

You can specify -

 match_type = WILDCARD(income)

In the transforms.conf definition of your lookup.

I just tested it, I have - 

$SPLUNK_HOME/etc/apps/search/local

$ cat transforms.conf 

[hosts_reporting]
batch_index_query = 0
case_sensitive_match = 1
filename = hosts_reporting.csv
match_type = WILDCARD(host)

One of the host names in hosts_reporting.csv is the beginning of a host name and it comes up via -

index=_internal [ | inputlookup hosts_reporting.csv | eval host=host + "*" ]

But it doesn't when running -

index=_internal [ | inputlookup hosts_reporting ]

Isn't it weird?

0 Karma
Reply

ddrillic
Ultra Champion
‎03-31-2019 06:32 PM

Any thoughts on this one, by any chance? @woodcock?

0 Karma
Reply

somesoni2
Revered Legend
‎03-29-2019 08:42 AM

How are you planning to run lookup on both lookup table files? What all have you tried so far? Any specific reason to have common lookup statement?

0 Karma
Reply

xshen_anji
New Member
‎03-30-2019 07:51 AM

Basically, I am running an app which processes a lookup file with some data files. The lookup csv file, which is generated from reporting systems of different vendors, varied a little bit in title fields, but the keywords are basically the same . Since there are a lot of customers, it would be easy to manage if I have one lookup statement to support all these lookup files. Now I am trying to make it a rule to all the customers, asking for manually editing the titles to make them the same, but it would still be desirable to tolerate some kind of fault or difference.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...