Solved: Wildcards in lookup file - Page 2

dewoodruff · ‎06-30-2017

I'm trying to use wildcards in a lookup file and am not able to get them working. I have referenced other posted answers but am not having success. Steps I have taken:

Created a lookup file called 'dt_s.csv' using the web interface by uploading the following content:

cs_host, is_suspicious
www.google.com, yes
www.*, yes
Created a lookup definition called 'dt' using the web interface, based off dt_s.csv
Our administrator added the below to transforms.conf on the indexers

[dt]
filename = dt_s.csv
match_type = WILDCARD(cs_host)

When I run a search such as '-search- | lookup dt cs_host | head 50 | fields cs_host, is_suspicious' I only get results for www.google.com and nothing for any other www.* entries.

What are we doing wrong? Is there any other step-by-step official documentation on how to set this up? Thank you.

Answer in comments below: In a pre v6.6 deployment with indexers separate from search head, the [dt] section above has to be added to the local transforms.conf on indexers AND the search head.

adauria_splunk · ‎07-11-2017

I tested this and got successful results with

index=*
| head 1
| eval cs_host="www.foo.com"
| lookup dt cs_host | fields cs_host, is_suspicious

I get the same results with www.google.com and www.foo.com (i.e. is_suspicious=yes).

2 things to consider:

1) Look at app context and permissions on the lookup knowledge objects. I doubt this is your issue since it works for the google domain.

2) I was able to do this all from the GUI without having to edit my transforms manually by configuring "advanced" options under the lookup definition, and using WILDCARD(cs_host) as my match type.

View solution in original post

Wildcards in lookup file

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life