Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to Perform a Lookup in Splunk When Some Fields in the Lookup Table Are Empty ?

tomapatan
Contributor
‎03-06-2025 12:19 PM

I’m working on a Splunk search that needs to perform a lookup against a CSV file. The challenge is that some of the fields in the lookup table contain empty values, meaning an exact match doesn’t work.

Here’s a simplified version of my search:

 

index="main" eventType="departure"
| table _time commonField fieldA fieldB fieldC fieldD fieldE
| lookup reference_data.csv commonField fieldA fieldB fieldC fieldD fieldE OUTPUTNEW offset

 

The lookup file reference_data.csv contains the fields: commonField , fieldA, fieldB, fieldC, fieldD, fieldE, lookupValue.
Sometimes, fieldB, fieldC, or other fields in the lookup table are empty. fieldA always has a value, sometimes the same, but the value of the offset field changes based on the values of the other fields.
If a lookup row has an empty value for fieldB, I still want it to match based on the available fields.

What I've Tried:
Using lookup normally, but it requires all fields to match exactly, which fails when lookup fields are empty.
Creating multiple lookup commands for different field combinations, but this isn’t scalable.

Desired Outcome:
If commonField  matches, but fieldB is empty in the lookup file, I still want the lookup to return lookupValue.
The lookup should prioritize rows with the most matching fields but still work even if some fields are missing.

 

Is there a way to perform a lookup in Splunk that allows matches even when some lookup fields are empty?

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎03-06-2025 01:51 PM

Hi @tomapatan 

I've been having a play around with this and think I might have a solution for you...lets see...

Ive created a lookup containing region, locality and postcode (see below). The region has a high level postcode but the postcode becomes more details when a locality is specified. But what if locality is blank in the search events?? In this case it will return the postcode where the locality is "*"

livehybrid_1-1741297645265.png

 

It is important the the fields which are empty have an asterisks (*) in them as we will configure them as a wildcard (see below):

livehybrid_2-1741297732241.png

 

When configuring the lookup definition, set max matches to 1 so it only returns the first matching result (this will be the most specific result, else it will return the one with an "empty" (wildcard/asterisks) value.
Set the Match type to WILDCARD(yourOptionalField1)

You can set multiple wildcard fields here.

It is important that the default lookup response for your commonField is lower than the more specific options.

Then when we search it will look like this, note that when we specify a locality we get the more detailed postcode, when we omit the locality we only get the high level postcode.

livehybrid_0-1741297629105.png

Does this help at all??

If this doesnt help, then worth checking this post to see if this helps at all? https://community.splunk.com/t5/Splunk-Search/Any-way-to-filter-multiple-wildcard-lookup-matches-to-...

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply

tomapatan
Contributor
‎03-06-2025 02:27 PM

And to confirm - I`ve updated the lookup csv file so that empty values now contain a "*" value, but still not working.

0 Karma
Reply

tomapatan
Contributor
‎03-06-2025 02:25 PM

Hi Will,

Great idea, although I`m not having much success I`m afraid and the output field contains empty values.

Lookup definition screenshot attached (the fieldnames are correct) - can you spot any issues ?

Preview file
114 KB
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...