Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Return the closest match for a wildcard lookup

bowesmana
SplunkTrust
SplunkTrust
‎07-11-2019 06:50 PM

I have a lookup 3 wildcard fields. What I want to be able to do is to only return the closes match, so if there are multiple matches, pick the closest one, e.g. if I have the following 3 rows in the lookup

F1, F2, F3, O1
test,,field3,output1
test,field,field3,output2
test,f*,field3,output3

and with the following data

F1=test
F2=field2
F3=field3

lookup F1,F2,F3 OUTPUT O1

I want O1 to be output2, i.e. from the second match as the length of the match string for F2 is the longest of the 3 possibilities. max_matches can't be 1 as that does not work on closest match and also, as this is KV store, I have some fields (F3) that is a multi value field, so using max_matches = 1 will also effectively remove all bar 1 of the multi value entries in F3.

Can this be done with the lookup itself or will it need post processing - and if so, how could that be done with post processing?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...