Solved: commas in lookup tables

stephen123 · ‎11-19-2012

hi, I am using a look-up table, however some of the fields have commas in them. - as you would expect these do not match. Any idea how to get around this,

I have tried adding a \ before the comma but this does not help
I can not remove the comma as this will not match the data

Thanks

MHibbin · ‎11-19-2012

If you can edit the CSV that you are using as a lookup directely, have you tried including the offending field in quotations (e.g. "). For example:

field0, field1, field2
efuieb, "foo,bar", blah
inevei, "foo", blah

Hope this helps.

MHibbin

View solution in original post

HeinzWaescher · ‎11-20-2013

Hi,

I've got another comma problem with a lookup. I would like to create a lookup for field values in the eventdata like Test,A, which i want to replace with a new value.

My lookuptable looks like this:

"Test,A" - New Value

I used the quotes to achieve, that the value is not splitted up in the lookup. But then I'm not able to use the lookup, because there is no match. The values in the eventdata don't have quotes...

Any ideas how to achieve my goal?

Thanks, Heinz

MHibbin · ‎11-19-2012

If you can edit the CSV that you are using as a lookup directely, have you tried including the offending field in quotations (e.g. "). For example:

field0, field1, field2
efuieb, "foo,bar", blah
inevei, "foo", blah

Hope this helps.

MHibbin

stephen123 · ‎11-19-2012

awesome - thanks

commas in lookup tables

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation