Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Wildcards working for inputlookup but not look...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wildcards working for inputlookup but not lookup?
Been targeting the same lookup definition and my lookup just refuses to recognize wildcards in my lookup table. My inputlookup works like so and properly accounts for the wildcards:
search NOT [|inputlookup bad_columns | table SCAN_TYPE TABLE NAME SINGLE_COLUMN]
My lookup is below and just doesn't work:
foreach Column* [lookup bad_columns SCAN_TYPE AS SCAN_TYPE TABLE_NAME AS TABLE_NAME SINGLE_COLUMN AS <<FIELD>> OUTPUT SINGLE_COLUMN as match | various other evals...]
I'm not sure if the <<FIELD>> rename is allowed or if match_type can vary between these two commands. I do not have access to transforms.conf, FYI.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you set the match type to WILDCARD for your lookup? If not, then to get this working through the web UI go to Settings -> Lookups -> Lookup definitions. Find your lookup there, and in it's advanced options in the "Match type" field add WILDCARD(your_field) for any fields that you want to enable wildcard matching with. In your case I guess it would be
WILDCARD(SCAN_TYPE), WILDCARD(TABLE_NAME), WILDCARD(SINGLE_COLUMN)
This should allow the lookup command to correctly match using wildcards.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm on Splunk 6.2 so I do not have this option. But are you saying lookups and inputlookups can have different match_types?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, didn't realize that the UI part was a somewhat recent addition. So to get the wildcard matching for lookup command to work, I guess you'll probably need help from someone who does have the access to transforms.conf.
The thing with inputlookup is that it doesn't actually match anything. In the subsearch inputlookup just creates some table and that's where any lookup specific configurations end. The filtering is done by the search command - in a search command anything in the square brackets gets expanded into a series of search terms with AND and OR operators. You can see what it actually gets expanded to with the format command: | inputlookup some_lookup | table field1 field2 field3 | head 5 | format.
So if your lookup has "*" characters in it, they would simply become wildcards in a search command, and the match_type is never even used. Which is why your first search works correctly.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
