Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to lookup table wildcard search?

splunkuser924
Engager
‎08-18-2022 05:49 AM

I'm trying to do a search with a lookup table and can't seem to get the search to perform what I'm wanting. I have some data that produces a table output like below.

_time user interesting
8/18/22 user1 a few words here

 

I have a lookup table with a list of words in it. The lookup table has a header of "Words" and a list of words separated by line feed. I would like to perform a search where I get back the sub results of the main search where a single word in my lookup matches anywhere in the interesting field. I got a partial match with the following search.

 

my search terms | lookup WordsLookup.csv Words as Interesting OUTPUT Words | table _time, user, Interesting, Words

 

In this case, it will return all results for my search terms and only a match where the Interesting field is EXACTLY the lookup of Words. I set WILDCARD(Words) in the lookup definition.

 

Help? Thanks

Labels (2)
Labels
0 Karma
Reply

splunkuser924
Engager
‎08-18-2022 07:24 AM

I've started to solve my own problem but I have hit a snag... It turns out that I was doing the right thing by setting the lookup definition to WILDCARD(Words) but I wasn't calling the lookup definition, still just the lookup table, oops... I'm using the following and it's kinda working. I had to modify my list of words as such

 

Words

*word1*

*word2*

 

my search terms | lookup "My Lookup" Words as Interesting OUTPUT Words | table _time, user, Interesting, Words

 

Now I get matches, but too many matches. 

 

_timeuserInterestingWords
8/18/2022user1my words1list herewords1

 

The above match is incorrect as I only want full word matches. I tried updating my lookup table to * words1 * (note the space) and that works for "my words1 here" but not "I have words1".

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...