Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Look up table question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We have a filed called BOTs which extracts all the legitimate BOTs (which have +http://.... in the user agent). I want to add the other BOTs into the same field which does not follow the standard user agent format (so they won't have +http://.. format).
I have a look up table and tried the match_type = WILDCARD(useragent) and then i have in the csv file (Look up file).
BOTs useragent
Traverse Traverse
Capture Capture
But i am not getting in the BOTs field. Any suggestions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your props/transforms is properly configured, your csv file fields will need to include * (one or both sides of the value) in order to wildcard match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I forgot to put asterisk in here but I do have them in my cvs file. But still not seeing them.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming your props/transforms is properly configured, your csv file fields will need to include * (one or both sides of the value) in order to wildcard match.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
From Manager>Lookups>Lookup Definitions or Automatic Lookups for this lookup, if you open it, and save it, the case_sensitive_property will go away in transforms.conf.
I have found a way to make sure the case_sensitive_match=false is not reset. In transforms.conf add the stanza to the [default] level. Howver, this will effect all lookups in that transforms.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a sample of your current lookup file? It needs to be a comma delimited csv file with wildcard (*).
To see the output, type in search UI, " | inputlookup BOTs.csv "
Also, make sure that the lookup file exists in ~/etc/system/lookups/ OR ~/etc/apps/search/lookups/ and has read permission properly set.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, i have added that but still i don't see data
[BOTs]
filename = BOTs.csv
case_sensitive_match=false
match_type = WILDCARD(User_Agent)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. I will try this. Can you elaborate on "it needs to be reset after every splunk_web lookup update/save"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might need to add:
case_sensitive_match = false
to the transforms.conf stanza for this input.
The problem with this attribute is it needs to be reset after every splunk_web lookup update/save.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
