Splunk Search

Is it possible to fill in default values for lookup value not found

Maycockk
Explorer

Hello fellow Splunk users,

I understand it is possible to default in a single value in the event a lookup is not found.

In my case I have a CSV where we lookup a TenantId, if its found we retrieve Tenant Name, latitude and longitude for geostats purposes. What I'd like to do return a default name, latitude and longitude in the event a lookup doesn't match a TenantId in our lookup. 

All help appreciated.

Thx in advance.

Labels (1)
0 Karma
1 Solution

scelikok
SplunkTrust
SplunkTrust

@Maycockk,

You can add "fillnull" command after your lookup like below.

| fillnull value="Default Tenant" "Tenant Name"
| fillnull value=41.008240 latitude
| fillnull value=28.978359 longitude

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok
SplunkTrust
SplunkTrust

@Maycockk,

You can add "fillnull" command after your lookup like below.

| fillnull value="Default Tenant" "Tenant Name"
| fillnull value=41.008240 latitude
| fillnull value=28.978359 longitude

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Maycockk
Explorer

Thank you kindly, have accepted as solution. Not back to the office till early Jan but this should do the trick just perfect.

Will default the null ones to somewhere on the map that won't. Are sense so can isolate and fix lookup accordingly. As new Tenants come on board they'll naturally appear in the search results but lookup will always be playing catchup and don't want it to start failing each time.

Appreciate it!!

0 Karma
Get Updates on the Splunk Community!

March Community Office Hours Security Series Uncovered!

Hello Splunk Community! In March, Splunk Community Office Hours spotlighted our fabulous Splunk Threat ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars in April. This post ...

Want to Reduce Costs, Mitigate Risk, Improve Performance, or Increase Efficiencies? ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...