Solved: Lookups and Wildcard Entries

pwguinto · ‎01-22-2020

I'm currently setting up an alert using a CSV lookup file with wildcard entries. I followed the instructions provided from the other questions and was able to make them work. Here's a sample of my CSV lookup file:

KEY1,KEY2,VALUE
AAA,111,Value 1
AAA,112,Value 2
AAA,*,Value 3

Using fields KEY1 and KEY2 for the lookup -- if the query produces the values KEY1="AAA" and KEY2="111", then it should pick up "Value 1" for the VALUE field -- which it correctly does. However, it also picks up the entry corresponding to KEY1="AAA, KEY2="*" since it technically matches.

Is it possible to configure the lookup that if it already finds a match, it won't go through the rest of the lookup file? For the query, I'm just using a straight forward lookup command:

| lookup <Lookup> KEY1 AS KEY1, KEY2 AS KEY2 OUTPUTNEW VALUE

Your inputs would be very much appreciated, thanks!

HiroshiSatoh · ‎01-22-2020

There is a maximum match in the settings in the lookup file. Can't use this?

View solution in original post

HiroshiSatoh · ‎01-22-2020

There is a maximum match in the settings in the lookup file. Can't use this?

pwguinto · ‎01-23-2020

I'll try this one, and will let you know -- though I think this should work. I just can't replicate the scenario immediately due to how the data is being fed. Thanks!

Lookups and Wildcard Entries

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!