- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is there a way to use wildcards or regex in lookup...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello
Following up on a previous question about lookups I am looking for a way to either use or simulate wildcards in a .csv lookup file.
I have fields like
Microsoft Windows 8.1 Pro
Microsoft Windows 8 Pro
Microsoft Windows 7 Ultimate
Microsoft Windows 7 Professional
Microsoft Windows 7 Enterprise
which I would like to group under, say, Windows Clients via a lookup. I do not know in advance what the values will be, so ideally I would like to be able to say
Microsoft Windows 7*,Windows Client
Microsoft Windows 8*,Windows Client
which does not work as is (and was hinted so by aweitzman in his answer.
- is there a direct way to use regexp (or wildcards) in the lookup .csv file?
The alternate solution I can think about would be to use an external script for the lookup which would get the field value and output something, based on a logic/algorithm within the script (as opposed to a csv)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be able to adapt something like the following:
search-goes-here | eval OSGroup=case(match(OSName,"Microsoft Windows 7(.*)"),"Windows Client", match(OSName,"Microsoft Windows 8(.*)"),"Windows Client",match(OSName,"Microsoft Windows Server(.*)"),"Windows Server")
The second argument to each match function is a regex, and the case statement lets you line up your matches with your output values.
While you can't put these in CSV files, you can turn the eval clause into a macro (add it to macros.conf) and refer to it wherever you need it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might be able to adapt something like the following:
search-goes-here | eval OSGroup=case(match(OSName,"Microsoft Windows 7(.*)"),"Windows Client", match(OSName,"Microsoft Windows 8(.*)"),"Windows Client",match(OSName,"Microsoft Windows Server(.*)"),"Windows Server")
The second argument to each match function is a regex, and the case statement lets you line up your matches with your output values.
While you can't put these in CSV files, you can turn the eval clause into a macro (add it to macros.conf) and refer to it wherever you need it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hmmm... it looks like there's more to transforms.conf than I realized.
You can put wildcards in the CSV file, and then add the following term to the appropriate stanza in transforms.conf and it will work:
match_type = WILDCARD(OSName)
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
