Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Lookup searches and regex?

klaudiac
Path Finder
‎07-15-2020 09:07 AM

Hi guys,

New to Splunk so pardon the simplicity of my question!

Im trying to bounce my csv list off another one. I've a list of servers in my spreadsheet, uploaded it to a lookup table files. By my problem is (I think) that the other file has the server names in a different format.

Eg. my server name is lets say "gb1234" and the other file it's saved as "UK gb1234" or "EU UK gb1234"

 

I came up with a basic search command: 

| inputlookup MY_LIST.csv

| eval host=upper(host)

| lookup OTHER_LIST asset_key as host

| fields host, asset_version, asset_bu

 

But I'm guessing that because of the format in the search i need to use regex.... But where and how??  

 

Labels (3)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-28-2020 03:56 AM

Hi @klaudiac,

if the longer field is in the main lookup, you can put the regex before the lookup command.

| inputlookup MY_LIST.csv
| rex field=host "(?<my_host>\w+)$"
| eval host=upper(host)
| lookup OTHER_LIST asset_key as my_host
| table my_host asset_version asset_bu

If instead the longer field is in the secondary lookup, you cannot use the lookup command, but you have to append the secondary lookup (with inputlookup) adding the regex in the subsearch; then you have to correlate the two lookups using a stats command; something like this:

| inputlookup MY_LIST.csv
| eval host=upper(host)
| append [ | inputlookup OTHER_LIST | rex field=asset_key "(?<host>\w+)$" | eval host=upper(host) | fields host asset_version asset_bu]
| stats values(asset_version) AS asset_version values(asset_bu) AS asset_bu BY host

Ciao.

Giuseppe

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎07-28-2020 03:23 AM

You can't do regex during the lookup, but maybe the easiest option is to 'clean' the data in the second lookup, so that you create a new column which is the last word of the multi-word host name and then lookup on that.

But it will depend on the permutations of that second host name as to how you could address this

You can use wildcard lookups by adding * to the lookup value and creating a lookup definition defining the field as a wildcard field, but that will again require some processing of the lookup.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...