How to add columns from a lookup table to my searc...

kcchu01 · ‎05-11-2016

I have a lookup table sample_lookup.csv which consists of two fields, wildcard and location

wildcard    location
   *123*        ABC
   *456*        DEF

I would like to add the location field to the existing search and create a new table so I can finally count the number of entries in each location.
My existing search is as follows.

Sample1    UserID 
212389        AAA
345699        BBB
412366        CCC
545688        DDD

I would like to have the table like this by matching the wildcard in the lookup table and add a location field in the new table:

Sample1    UserID    Location
212389        AAA        ABC
345699        BBB        DEF
412366        CCC        ABC
545688        DDD        DEF

How can I make use of lookup to achieve this? It really stuck me for a long time =(

woodcock · ‎05-11-2016

Another option is described here (but you should go with the other one proposed):

https://answers.splunk.com/answers/386488/regex-in-lookuptable.html#answer-387536

sundareshr · ‎05-11-2016

In your lookup table add wildcard chars to your "wildcard" column, like this *123* OR *456*. Then in your transforms, under the stanza for the lookup, add

 match_type = WILDCARD(wildcard)

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

How to add columns from a lookup table to my search?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!