Splunk Search

How to set up an automatic lookup where a predefined value is used when there is no match in the lookup?

HeinzWaescher
Motivator

Hi,

I would like to set up an automatic lookup, where a predefined value is used when there is no match in the lookup.

Let's say the lookup input field is Key=A and the lookup output field is amount=250. For events without Key=A the output should always be amount=100.
Using

| fillnull value=100 amount

in every the search would be possible, but including it in the automatic lookup would be much better. Is this possible?

Thanks in advance

Heinz

Tags (2)
0 Karma

HeinzWaescher
Motivator

Hi Mus,

thanks for your answers, this seems to be a possible solution.
I've found another option in the lookup "definitions" which is easier to use.

Minium matches: 1

Default matches: 100

BR

Heinz

MuS
SplunkTrust
SplunkTrust

nice, this ends in transforms.conf as default_match

default_match = <string>
* If min_matches > 0 and Splunk has less than min_matches for any given input, it provides 
  this default_match value one or more times until the min_matches threshold is reached.
* Defaults to empty string. 
0 Karma

MuS
SplunkTrust
SplunkTrust

Hi HeinzWaescher,

you could setup an eval-based statement in props.conf :

EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output 
  to <fieldname>. This creates a "calculated field."
* When multiple EVAL-* statements are specified, they behave as if 
  they are run in parallel, rather than in any particular sequence.  
  For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x" 
  will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.
* Splunk processes calculated fields after field extraction and field aliasing but before 
  lookups. This means that:
        * You can use a field alias in the eval statement for a calculated field.
        * You cannot use a field added through a lookup in an eval statement for a calculated
          field.       

The eval could look like this:

EVAL-amount = if(isnull(amount), "100" , amount)

This is untested so maybe you need to adapt it to your needs

cheers, MuS

Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...