Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookups and Wildcard Entries

pwguinto
New Member
‎01-22-2020 06:01 PM

I'm currently setting up an alert using a CSV lookup file with wildcard entries. I followed the instructions provided from the other questions and was able to make them work. Here's a sample of my CSV lookup file:

KEY1,KEY2,VALUE
AAA,111,Value 1
AAA,112,Value 2
AAA,*,Value 3

Using fields KEY1 and KEY2 for the lookup -- if the query produces the values KEY1="AAA" and KEY2="111", then it should pick up "Value 1" for the VALUE field -- which it correctly does. However, it also picks up the entry corresponding to KEY1="AAA, KEY2="*" since it technically matches.

Is it possible to configure the lookup that if it already finds a match, it won't go through the rest of the lookup file? For the query, I'm just using a straight forward lookup command:

| lookup <Lookup> KEY1 AS KEY1, KEY2 AS KEY2 OUTPUTNEW VALUE

Your inputs would be very much appreciated, thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-22-2020 10:36 PM

There is a maximum match in the settings in the lookup file. Can't use this?

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎01-22-2020 10:36 PM

There is a maximum match in the settings in the lookup file. Can't use this?

0 Karma
Reply
Solved! Jump to solution

pwguinto
New Member
‎01-23-2020 01:24 AM

I'll try this one, and will let you know -- though I think this should work. I just can't replicate the scenario immediately due to how the data is being fed. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...