I recently noticed that the UI for lookup definitions now has an advanced
checkbox. If I select that I get the option to set match_type
, which is described as
Match type
Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is (). Available values for match_type are WILDCARD and CIDR.
so I added a wildard match for my lookup field IP
to my lookup definition
for tools
:
match_type=WILDCARD (IP)
(note, I tried CIDR
, too, with similar results)
and in the lookup file tools.csv
, I had an entry with a *
IP: 10.10.35.*
Tool: Splunk
but when try to use it, I do not get a match:
|makeresults |eval IP="10.10.35.9" | lookup tools IP
This did not return the Tool
field, although if I pass it a matching string it does:
|makeresults |eval IP="10.10.35.*" | lookup tools IP
gets me back tool
=Splunk
is there something that I am misunderstanding about the UI based lookup wildcard? Something else that I should be doing?
It should be WILDCARD(IP)
, not WILDCARD (IP)
. It should also be:
IP,Tool
Splunk,10.10.35.*
Not:
IP: 10.10.35.*
Tool: Splunk
It should be WILDCARD(IP)
, not WILDCARD (IP)
. It should also be:
IP,Tool
Splunk,10.10.35.*
Not:
IP: 10.10.35.*
Tool: Splunk
Tried
match_type=WILDCARD(IP)
with the same results. Waited an hour as well, but still same results.
sorry on the csv. I should have written that correctly. Since it was just a lookup table, the data was actually stored correctly as
IP,Tool
Splunk,10.10.35.*
Also tried
Tried
match_type=WILDCARD(IP)
and changing the lookup table to
IP,Tool
Splunk,10.10.35.0/24
with the same results --no lookup match
although
|makeresults |eval IP="10.10.35.0/24" | lookup tools IP
does return a Tool value of Splunk
For now I cheated and re-evaluated the query IP to match the lookup.
First checks the lookup for a full IP match, and then checks for a match on the final octet "wildcarded".
|makeresults |eval IP="10.10.35.9"
| lookup tools IP
| eval IP3=IP
| rex mode=sed field=IP3 "s/(?<IP3>\d{1,3}\.\d{1,3}\.\d{1,3}+\.)\d{1,3}/\1*/g"
| lookup tools IP as IP3 OUTPUTNEW
OK. Learned where I went wrong on this one.
I actually entered
match_type=WILDCARD(IP)
into the UI.
I actually only needed to enter
WILDCARD(IP)