Solved: How to use lookup function for fuzzy matching

xsstest · ‎05-18-2017

Sorry, my English is not very good.

I extracted a field named "user-agent", I also have a CSV file, the specific content is as follows:

Now,I want to use the lookup function for fuzzy matching with user-agent results. Can I do it?

for example :

user-agent=Mozilla/5.0 (Windows NT 6.2; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0

How to fuzzy match the contents of a column in a CSV file.

I expect the output of the second, three column with the result

You might suggest that I use the eval function,

But I have a lot of keywords

alt text

MuS · ‎05-22-2017

HI xsstest,

have a look at this app https://splunkbase.splunk.com/app/1843/ , this app https://splunkbase.splunk.com/app/1795/ or this app https://splunkbase.splunk.com/app/3003/ .
I haven't used any of these but it sounds like they provide a solution to your problem.

Otherwise read the wildcard match for lookups in transforms.conf http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf - you need to look for the match_type = <string> option.

Hope this helps ...

cheers, MuS

jrmurray · ‎09-24-2020

Not to revive this old thread, but to folks who visit this later with a similar question, the following app will do what OP is asking for:

MuS · ‎05-22-2017

HI xsstest,

have a look at this app https://splunkbase.splunk.com/app/1843/ , this app https://splunkbase.splunk.com/app/1795/ or this app https://splunkbase.splunk.com/app/3003/ .
I haven't used any of these but it sounds like they provide a solution to your problem.

Otherwise read the wildcard match for lookups in transforms.conf http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf - you need to look for the match_type = <string> option.

Hope this helps ...

cheers, MuS

xsstest · ‎05-22-2017

Why no one answered the question?

How to use lookup function for fuzzy matching