Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup default_match for multiple columns?

mjpieters
Explorer
‎01-12-2015 03:27 AM

We are using a CSV to map one field to two more:

status,status_title,status_type,status_ok
-,Network connection successful,Network success,Success
D,DNS lookup failure,Network failure,Failure

etc, with a lookup:

lookup network_status_codes status AS receiver_network_status OUTPUTNEW
    status_title AS network_status_title,
    status_type AS network_status_type,
    status_ok AS network_status_ok

How can I handle falling back to defaults for all three columns? The default_match field appears to only let me provide one fallback; I don't think I can use:

[network_status_codes]
filename = network_status_codes.csv
min_matches = 1
default_match = Unknown network error,Network failure,Failure

here.

Should I use a wildcard match instead? E.g. add a row:

*,Unknown network error,Network failure,Failure

then set the match type:

match_type = WILDCARD(status)

to make this work?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mjpieters
Explorer
‎01-13-2015 04:00 AM

As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used:

 | fillnull value="Unknown network error" network_status_title 
 | fillnull value="Network Error" network_status_type 
 | fillnull value="Failure" network_status_ok

instead in the query; e.g. when the lookup fails supply default values manually.

Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.

View solution in original post

Reply
Solved! Jump to solution

madchutney
New Member
‎05-26-2015 10:15 AM

The wildcard requires enabling in transforms.conf, e.g.

match_type = WILDCARD(status)
max_matches = 1

The max_matches stops the status matching the wildcard for known values. The lookup csv file can then have an extra entry:

*,Default title,Default type,Default ok
0 Karma
Reply
Solved! Jump to solution
Solution

mjpieters
Explorer
‎01-13-2015 04:00 AM

As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used:

 | fillnull value="Unknown network error" network_status_title 
 | fillnull value="Network Error" network_status_type 
 | fillnull value="Failure" network_status_ok

instead in the query; e.g. when the lookup fails supply default values manually.

Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...

Updated Data Management and AWS GDI Inventory in Splunk Observability

We’re making some changes to Data Management and Infrastructure Inventory for AWS. The Data Management page, ...