Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Lookups and Wildcard Entries

pwguinto
New Member
‎01-22-2020 06:01 PM

I'm currently setting up an alert using a CSV lookup file with wildcard entries. I followed the instructions provided from the other questions and was able to make them work. Here's a sample of my CSV lookup file:

KEY1,KEY2,VALUE
AAA,111,Value 1
AAA,112,Value 2
AAA,*,Value 3

Using fields KEY1 and KEY2 for the lookup -- if the query produces the values KEY1="AAA" and KEY2="111", then it should pick up "Value 1" for the VALUE field -- which it correctly does. However, it also picks up the entry corresponding to KEY1="AAA, KEY2="*" since it technically matches.

Is it possible to configure the lookup that if it already finds a match, it won't go through the rest of the lookup file? For the query, I'm just using a straight forward lookup command:

| lookup <Lookup> KEY1 AS KEY1, KEY2 AS KEY2 OUTPUTNEW VALUE

Your inputs would be very much appreciated, thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-22-2020 10:36 PM

There is a maximum match in the settings in the lookup file. Can't use this?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-22-2020 10:36 PM

There is a maximum match in the settings in the lookup file. Can't use this?

0 Karma
Reply
Solved! Jump to solution

pwguinto
New Member
‎01-23-2020 01:24 AM

I'll try this one, and will let you know -- though I think this should work. I just can't replicate the scenario immediately due to how the data is being fed. Thanks!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...