I'm having difficulty getting the wildcard lookups to work for me.
LookupTable:
path,command,description
*b/c/d,command1*,description1
a/b/c,command2*,description2
*e/f,command2*,description3
*b/c/d,command3*, description4
Sample fields/results
a/b/c/d,command1aa ==> description1
a/b/c,command2bb ==> description2
d/e/f,command2bb ==> description3
Transform.conf:
[CommandTree]
filename = CommandTree.csv
match_type = WILDCARD(path,command)
SEARCH-STRING | lookup CommandTree.csv path AS field_path command AS field_command OUTPUT description
I've also tried using a single wildcard, and I'm still not getting a match. If I change the lookup table and fields to exact matches everything works as expected.
I'm using version Splunk Enterprise:
Splunk Version 6.5.2
Splunk Build 67571ef4b87d
Thanks in advance,
Dave
Your lookup
command is referring to a csv file, not to a lookup definition - use lookup CommandTree
instead.
Additionally, it should be match_type = WILDCARD(field1), WILDCARD(field2)
.
Your lookup
command is referring to a csv file, not to a lookup definition - use lookup CommandTree
instead.
Additionally, it should be match_type = WILDCARD(field1), WILDCARD(field2)
.
Thanks for your help Martin, it is now working.
Regards,
Dave