Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a lookup matching non-exact words ?

damode
Motivator
‎01-09-2018 04:07 PM

I have the below type of event and I want to add a category field to it using lookups

time    Transaction Business name
6/01/2018   40.22   ABC foods 6697    VALE  TAP AND PAY 0000
8/01/2018   45.22   supermarket suburb TAP and PAY 0000

So, I created the following lookup - test.csv

Business name,Category
ABC foods 6697    VALE  TAP AND PAY 0000,Dine out
DEF utilities,Utilities
TARGET suburb name,Shopping
supermarket suburb TAP and PAY 0000,Groceries

Below is my search query,

index="finance" sourcetype="csv_finance" | lookup test.csv "Business name" OUTPUT Category|  table "Business name" Category

but its not displaying the results.
How can I create a successful lookup that will display the categories along with the business name in the search results ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-09-2018 04:55 PM

You can do wildcard matching in your lookup. And to avoid confusion I'd use _ instead of in your field names in the lookup.

transforms.conf:

[test]
filename = test.csv
match_type = WILDCARD(Business_name)

test.csv:

 Business_name,Category
 ABC*,Dine out
 DEF*,Utilities
 TARGET*,Shopping
 supermarket*,Groceries

And when searching:

index="finance" sourcetype="csv_finance" | lookup test Business_name AS "Business name" OUTPUT Category|  table "Business name" Category

View solution in original post

Reply
Solved! Jump to solution
Solution

micahkemp
Champion
‎01-09-2018 04:55 PM

You can do wildcard matching in your lookup. And to avoid confusion I'd use _ instead of in your field names in the lookup.

transforms.conf:

[test]
filename = test.csv
match_type = WILDCARD(Business_name)

test.csv:

 Business_name,Category
 ABC*,Dine out
 DEF*,Utilities
 TARGET*,Shopping
 supermarket*,Groceries

And when searching:

index="finance" sourcetype="csv_finance" | lookup test Business_name AS "Business name" OUTPUT Category|  table "Business name" Category
Reply
Solved! Jump to solution

damode
Motivator
‎01-09-2018 05:56 PM

Thanks @micahkemp!

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-09-2018 04:44 PM

Does your lookup table have the numbers at the front of the line? It's displayed with two leading numbers, which seems to indicate the 2nd number per line is actually in your file.

0 Karma
Reply
Solved! Jump to solution

damode
Motivator
‎01-09-2018 04:48 PM

No, the lookup table doesnt have any numbers. Sorry, I got the formatting wrong while posting this qn. I will update it.

0 Karma
Reply
Solved! Jump to solution

micahkemp
Champion
‎01-09-2018 04:51 PM

It's also unclear from your posted data what the values of each field are in the event. Is the Business Name ABC foods 6697 VALE TAP AND PAY 0000?

0 Karma
Reply
Solved! Jump to solution

damode
Motivator
‎01-09-2018 04:53 PM

Yes, thats right.
the data is of bank transactions in csv file format.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...