Splunk Search

Unable to perform wildcard lookups

New Member

I'm having difficulty getting the wildcard lookups to work for me.

LookupTable:
path,command,description
*b/c/d,command1*,description1
a/b/c,command2*,description2
*e/f,command2*,description3
*b/c/d,command3*, description4

Sample fields/results
a/b/c/d,command1aa ==> description1
a/b/c,command2bb ==> description2
d/e/f,command2bb ==> description3

Transform.conf:
[CommandTree]
filename = CommandTree.csv
match_type = WILDCARD(path,command)

  • I've also tried WILDCARD(path) WILDCARD(command)

SEARCH-STRING | lookup CommandTree.csv path AS fieldpath command AS fieldcommand OUTPUT description

I've also tried using a single wildcard, and I'm still not getting a match. If I change the lookup table and fields to exact matches everything works as expected.

I'm using version Splunk Enterprise:
Splunk Version 6.5.2
Splunk Build 67571ef4b87d

Thanks in advance,
Dave

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Your lookup command is referring to a csv file, not to a lookup definition - use lookup CommandTree instead.

Additionally, it should be match_type = WILDCARD(field1), WILDCARD(field2).

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Your lookup command is referring to a csv file, not to a lookup definition - use lookup CommandTree instead.

Additionally, it should be match_type = WILDCARD(field1), WILDCARD(field2).

View solution in original post

0 Karma

New Member

Thanks for your help Martin, it is now working.

Regards,
Dave

0 Karma