Splunk Search

Wildcards working for inputlookup but not lookup?

Path Finder

Been targeting the same lookup definition and my lookup just refuses to recognize wildcards in my lookup table. My inputlookup works like so and properly accounts for the wildcards:

search NOT [|inputlookup bad_columns | table SCAN_TYPE TABLE NAME SINGLE_COLUMN]

My lookup is below and just doesn't work:

foreach Column* [lookup bad_columns SCAN_TYPE AS SCAN_TYPE TABLE_NAME AS TABLE_NAME SINGLE_COLUMN AS <<FIELD>> OUTPUT SINGLE_COLUMN as match | various other evals...]

I'm not sure if the <<FIELD>> rename is allowed or if match_type can vary between these two commands. I do not have access to transforms.conf, FYI.

0 Karma

Path Finder

Did you set the match type to WILDCARD for your lookup? If not, then to get this working through the web UI go to Settings -> Lookups -> Lookup definitions. Find your lookup there, and in it's advanced options in the "Match type" field add WILDCARD(your_field) for any fields that you want to enable wildcard matching with. In your case I guess it would be

WILDCARD(SCAN_TYPE), WILDCARD(TABLE_NAME), WILDCARD(SINGLE_COLUMN)

This should allow the lookup command to correctly match using wildcards.

0 Karma

Path Finder

I'm on Splunk 6.2 so I do not have this option. But are you saying lookups and inputlookups can have different match_types?

0 Karma

Path Finder

Ah, didn't realize that the UI part was a somewhat recent addition. So to get the wildcard matching for lookup command to work, I guess you'll probably need help from someone who does have the access to transforms.conf.

The thing with inputlookup is that it doesn't actually match anything. In the subsearch inputlookup just creates some table and that's where any lookup specific configurations end. The filtering is done by the search command - in a search command anything in the square brackets gets expanded into a series of search terms with AND and OR operators. You can see what it actually gets expanded to with the format command: | inputlookup some_lookup | table field1 field2 field3 | head 5 | format.

So if your lookup has "*" characters in it, they would simply become wildcards in a search command, and the match_type is never even used. Which is why your first search works correctly.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!