Splunk Search

Look up table question

xvxt006
Contributor

Hi,

We have a filed called BOTs which extracts all the legitimate BOTs (which have +http://.... in the user agent). I want to add the other BOTs into the same field which does not follow the standard user agent format (so they won't have +http://.. format).

I have a look up table and tried the match_type = WILDCARD(useragent) and then i have in the csv file (Look up file).
BOTs useragent
Traverse Traverse
Capture Capture
But i am not getting in the BOTs field. Any suggestions?

Tags (2)
0 Karma
1 Solution

the_wolverine
Champion

Assuming your props/transforms is properly configured, your csv file fields will need to include * (one or both sides of the value) in order to wildcard match.

View solution in original post

xvxt006
Contributor

I forgot to put asterisk in here but I do have them in my cvs file. But still not seeing them.

0 Karma

the_wolverine
Champion

Assuming your props/transforms is properly configured, your csv file fields will need to include * (one or both sides of the value) in order to wildcard match.

lukejadamec
Super Champion

From Manager>Lookups>Lookup Definitions or Automatic Lookups for this lookup, if you open it, and save it, the case_sensitive_property will go away in transforms.conf.
I have found a way to make sure the case_sensitive_match=false is not reset. In transforms.conf add the stanza to the [default] level. Howver, this will effect all lookups in that transforms.conf

0 Karma

the_wolverine
Champion

Do you have a sample of your current lookup file? It needs to be a comma delimited csv file with wildcard (*).

To see the output, type in search UI, " | inputlookup BOTs.csv "

Also, make sure that the lookup file exists in ~/etc/system/lookups/ OR ~/etc/apps/search/lookups/ and has read permission properly set.

0 Karma

xvxt006
Contributor

Hi, i have added that but still i don't see data

[BOTs]
filename = BOTs.csv
case_sensitive_match=false
match_type = WILDCARD(User_Agent)

0 Karma

xvxt006
Contributor

Thank you. I will try this. Can you elaborate on "it needs to be reset after every splunk_web lookup update/save"

0 Karma

lukejadamec
Super Champion

You might need to add:

case_sensitive_match = false

to the transforms.conf stanza for this input.

The problem with this attribute is it needs to be reset after every splunk_web lookup update/save.

0 Karma
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...