Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is there a way to use wildcards or regex in lookup csv file?

wsw70
Communicator
‎06-16-2014 08:25 AM

Hello

Following up on a previous question about lookups I am looking for a way to either use or simulate wildcards in a .csv lookup file.

I have fields like

Microsoft Windows 8.1 Pro
Microsoft Windows 8 Pro
Microsoft Windows 7 Ultimate
Microsoft Windows 7 Professional
Microsoft Windows 7 Enterprise

which I would like to group under, say, Windows Clients via a lookup. I do not know in advance what the values will be, so ideally I would like to be able to say

Microsoft Windows 7*,Windows Client
Microsoft Windows 8*,Windows Client

which does not work as is (and was hinted so by aweitzman in his answer.

  • is there a direct way to use regexp (or wildcards) in the lookup .csv file?

The alternate solution I can think about would be to use an external script for the lookup which would get the field value and output something, based on a logic/algorithm within the script (as opposed to a csv)

Reply
1 Solution
Solved! Jump to solution
Solution

aweitzman
Motivator
‎06-16-2014 09:23 AM

You might be able to adapt something like the following:

search-goes-here | eval OSGroup=case(match(OSName,"Microsoft Windows 7(.*)"),"Windows Client", match(OSName,"Microsoft Windows 8(.*)"),"Windows Client",match(OSName,"Microsoft Windows Server(.*)"),"Windows Server")

The second argument to each match function is a regex, and the case statement lets you line up your matches with your output values.

While you can't put these in CSV files, you can turn the eval clause into a macro (add it to macros.conf) and refer to it wherever you need it.

View solution in original post

Reply
Solved! Jump to solution
Solution

aweitzman
Motivator
‎06-16-2014 09:23 AM

You might be able to adapt something like the following:

search-goes-here | eval OSGroup=case(match(OSName,"Microsoft Windows 7(.*)"),"Windows Client", match(OSName,"Microsoft Windows 8(.*)"),"Windows Client",match(OSName,"Microsoft Windows Server(.*)"),"Windows Server")

The second argument to each match function is a regex, and the case statement lets you line up your matches with your output values.

While you can't put these in CSV files, you can turn the eval clause into a macro (add it to macros.conf) and refer to it wherever you need it.

Reply
Solved! Jump to solution

aweitzman
Motivator
‎06-16-2014 09:40 AM

Hmmm... it looks like there's more to transforms.conf than I realized.

You can put wildcards in the CSV file, and then add the following term to the appropriate stanza in transforms.conf and it will work:

match_type = WILDCARD(OSName)

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...