Splunk Search

How to set up an automatic lookup where a predefined value is used when there is no match in the lookup?

HeinzWaescher
Motivator

Hi,

I would like to set up an automatic lookup, where a predefined value is used when there is no match in the lookup.

Let's say the lookup input field is Key=A and the lookup output field is amount=250. For events without Key=A the output should always be amount=100.
Using

| fillnull value=100 amount

in every the search would be possible, but including it in the automatic lookup would be much better. Is this possible?

Thanks in advance

Heinz

Tags (2)
0 Karma

HeinzWaescher
Motivator

Hi Mus,

thanks for your answers, this seems to be a possible solution.
I've found another option in the lookup "definitions" which is easier to use.

Minium matches: 1

Default matches: 100

BR

Heinz

MuS
SplunkTrust
SplunkTrust

nice, this ends in transforms.conf as default_match

default_match = <string>
* If min_matches > 0 and Splunk has less than min_matches for any given input, it provides 
  this default_match value one or more times until the min_matches threshold is reached.
* Defaults to empty string. 
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi HeinzWaescher,

you could setup an eval-based statement in props.conf :

EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output 
  to <fieldname>. This creates a "calculated field."
* When multiple EVAL-* statements are specified, they behave as if 
  they are run in parallel, rather than in any particular sequence.  
  For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x" 
  will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.
* Splunk processes calculated fields after field extraction and field aliasing but before 
  lookups. This means that:
        * You can use a field alias in the eval statement for a calculated field.
        * You cannot use a field added through a lookup in an eval statement for a calculated
          field.       

The eval could look like this:

EVAL-amount = if(isnull(amount), "100" , amount)

This is untested so maybe you need to adapt it to your needs

cheers, MuS

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...