Splunk Search

WILDCARD in LookUp .csv files

boromir
Path Finder

Hi all,

I have a challenge, that i have been struggling for the past few days, and can't find the correct solution.

I have read

https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/...

and done pretty much exactly the same thing, but it doesn't work for me. So here are the details.

I have a simple lookup csv file (2 columns ), first one with starting digits

prefix, state

23401*, log1

23402*,log2

34602*,log5

....etc

I have used the GUI to create the lookup definitions, but i have also double-cheked transformes.conf and props.conf. It is exactly as in the example in the link. I can't make the wildcard work for me.

Here is a simple search line just to illustrate

source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" |

lookup prefixlookup.csv prefix OUTPUT state |

table prefix state

If i create lookup with exact matches, it works for the match everytime, however, my client requires only prefixchecks, and to me WILDCARD is the only solution.

Any ideas?

PS.

I have actually created exact replica of the case(user,username, userlookup, etc) in the linked example, still doesn't work

Have a great day!

 

 

Labels (1)
Tags (1)
0 Karma
1 Solution

boromir
Path Finder

Hi all,

I have to say , I found the issue that was bugging me. As suggested, it was something simple , that was in front of me all the time.

Here is what didn't work:

sourcetype="log2" | lookup ranges.csv comment OUTPUT state  | table comment state

And here is what worked:

sourcetype="log2" | lookup ranges comment OUTPUT state  | table comment state

I can't believe I didn't figure it out earlier, but hey, learning is a process 🙂

Thanks!

View solution in original post

0 Karma

Kwip
Contributor

Hi @boromir 

Can you try the below, 

Go to Lookup definition --> Advanced options --> Match Type, and enter WILDCARD(FieldName)

 

FieldName - The field which consists of wild card in the lookup file. 

Check and let me know if you still come across any issues. 

0 Karma

boromir
Path Finder

Hi,

Thanks for responding:)

Exacltly the same. I feel like I am missing something. I can't even make the example work.

As mentioned, I am now fighting to make the example from the link to work, and have completely put my put my case on the backburner. So here is what i have , and doesn't work:

userlookup.csv

user,username
user*,USERNAME

 

transforms.conf

[userlookup]
batch_index_query = 0
case_sensitive_match = 1
filename = userlookup.csv
match_type = WILDCARD(user)

Props.conf

[log2]
LOOKUP-user = userlookup user OUTPUT username

...And for the full picture :

boromir_0-1596187725351.png

 

I think that the solution is in front of my eyes, but I fail to see it.

 

0 Karma

Kwip
Contributor

Can you elaborate your requirement a bit more, 

So you want to filter your results with the prefix field values in the csv and again assign a state field value to the results?

 

If above is your requirement, try the below query. 

 

source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" prefix=*
    [| inputlookup prefixlookup.csv 
    | table prefix] 
| lookup prefixlookup.csv prefix OUTPUT state 
| table prefix state

 

0 Karma

boromir
Path Finder

Hi,

Thanks, I will try to explain it better.

My client provides me a table(csv 1000x lines , 2 columns) with prefixes that I will be able to find in the logs from the monitored equipment. Based on those prefixes, I have to structure them, assign them new values, which we will use later. Based on what I have read, Lookup with wildcard in the lookup table is the solution to my challenge, and based on https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/...

I should be able to get exactly what i need, however , it still doesn't work.

 

I have tested your example, but it gets me exactly the same result. The wildcard does not match.

 

Kind regards!

0 Karma

boromir
Path Finder

Hi all,

I have to say , I found the issue that was bugging me. As suggested, it was something simple , that was in front of me all the time.

Here is what didn't work:

sourcetype="log2" | lookup ranges.csv comment OUTPUT state  | table comment state

And here is what worked:

sourcetype="log2" | lookup ranges comment OUTPUT state  | table comment state

I can't believe I didn't figure it out earlier, but hey, learning is a process 🙂

Thanks!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...