Re: Lookup Tabel with UrLs

tmwhitm · ‎06-06-2018

Looking for assistance in creating a lookup table with UrLs, my syntax below does not work. Any ideas on how to use a lookup table with UrLs?

The lookup table UrL-Input contains two columns, URL & Description.

Any assistance is appreciated.

Tom

tmwhitm · ‎06-07-2018

Yes, my data had www.example.com so I added that verbatim to the lookup table but the data was not found until I added www.example.com to the lookup table.

tmwhitm · ‎06-07-2018

Jkat54,

Thank you. Before your post I was playing with the lookup table and found that when I added a wildcard at the beginning and end of the url, the SQL I have worked. Still trying to wrap my mind around why for even when I tested www.example.com and it existed in the data, it was not found until I added the wildcard.

jkat54 · ‎06-07-2018

That sounds odd. Are you saying this “unpacked” search works?

(( url=value1))

But this doesn’t:

((url=value1))

Even though you have a field called url with “value1” in it...

jkat54 · ‎06-06-2018

Use this as your subsearch instead:

| inputlookup UrL-Input | rename UrL as url | format

Which will unpack to

... ( ( url=value1 ) OR( url=value2) OR ... )

Lookup Tabel with UrLs

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life