Splunk Search

Lookups and Wildcard Entries

pwguinto
New Member

I'm currently setting up an alert using a CSV lookup file with wildcard entries. I followed the instructions provided from the other questions and was able to make them work. Here's a sample of my CSV lookup file:

KEY1,KEY2,VALUE
AAA,111,Value 1
AAA,112,Value 2
AAA,*,Value 3

Using fields KEY1 and KEY2 for the lookup -- if the query produces the values KEY1="AAA" and KEY2="111", then it should pick up "Value 1" for the VALUE field -- which it correctly does. However, it also picks up the entry corresponding to KEY1="AAA, KEY2="*" since it technically matches.

Is it possible to configure the lookup that if it already finds a match, it won't go through the rest of the lookup file? For the query, I'm just using a straight forward lookup command:

| lookup <Lookup> KEY1 AS KEY1, KEY2 AS KEY2 OUTPUTNEW VALUE

Your inputs would be very much appreciated, thanks!

0 Karma
1 Solution

HiroshiSatoh
Champion

There is a maximum match in the settings in the lookup file. Can't use this?

View solution in original post

0 Karma

HiroshiSatoh
Champion

There is a maximum match in the settings in the lookup file. Can't use this?

0 Karma

pwguinto
New Member

I'll try this one, and will let you know -- though I think this should work. I just can't replicate the scenario immediately due to how the data is being fed. Thanks!

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...