Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup Tables and Comments
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I currently am using a lookup table to match Host Names with a "grouping" category. However, there are a ton of entries in there and the order I have them in the file isn't directly obvious, so to make it easier for me to search through and edit the file, I'd love it if I could add "comments" to the lookup file. Is this possible? Can we start lines with a ':' or a '#' character or something and cause that line to be ignored during the lookup process?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well its a CSV so you can't comment it.
But, you could add a comment field and simply not reference it during the lookup process? That way it will idle there un-used
UPDATE:
One way could be,
host,ip,comment
BOB,127.0.0.1,danger danger!
But you could avoid referencing the comment field completely
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well its a CSV so you can't comment it.
But, you could add a comment field and simply not reference it during the lookup process? That way it will idle there un-used
UPDATE:
One way could be,
host,ip,comment
BOB,127.0.0.1,danger danger!
But you could avoid referencing the comment field completely
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have a look at my updated answer for an example of another way to do it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, I was just thinking that a "generic" Host Name like "#comment#" that would never actually be the name of a machine could just be treated as a comment. I was hoping that maybe Splunk's lookup process would have its own construct built-in that ignored certain lines. But you're probably right in that it most likely wouldn't. ^_^
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
