Splunk Search

Lookups and Wildcard Entries

pwguinto
New Member

I'm currently setting up an alert using a CSV lookup file with wildcard entries. I followed the instructions provided from the other questions and was able to make them work. Here's a sample of my CSV lookup file:

KEY1,KEY2,VALUE
AAA,111,Value 1
AAA,112,Value 2
AAA,*,Value 3

Using fields KEY1 and KEY2 for the lookup -- if the query produces the values KEY1="AAA" and KEY2="111", then it should pick up "Value 1" for the VALUE field -- which it correctly does. However, it also picks up the entry corresponding to KEY1="AAA, KEY2="*" since it technically matches.

Is it possible to configure the lookup that if it already finds a match, it won't go through the rest of the lookup file? For the query, I'm just using a straight forward lookup command:

| lookup <Lookup> KEY1 AS KEY1, KEY2 AS KEY2 OUTPUTNEW VALUE

Your inputs would be very much appreciated, thanks!

0 Karma
1 Solution

HiroshiSatoh
Champion

There is a maximum match in the settings in the lookup file. Can't use this?

View solution in original post

0 Karma

HiroshiSatoh
Champion

There is a maximum match in the settings in the lookup file. Can't use this?

0 Karma

pwguinto
New Member

I'll try this one, and will let you know -- though I think this should work. I just can't replicate the scenario immediately due to how the data is being fed. Thanks!

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...