 
					
				
		
I recently noticed that the UI for lookup definitions now has an advanced checkbox.  If I select that I get the option to set match_type, which is described as
Match type
Optionally set up non-exact matching of a comma-and-space-delimited field list. Format is (). Available values for match_type are WILDCARD and CIDR.
so I added a wildard match for my lookup field IP to my lookup definition for tools:
match_type=WILDCARD (IP)
(note, I tried CIDR, too, with similar results)
and in the lookup file tools.csv, I had an entry with a *
IP: 10.10.35.*
Tool: Splunk
but when try to use it, I do not get a match:
|makeresults |eval IP="10.10.35.9" | lookup tools IP
This did not return the Tool field, although if I pass it a matching string it does:
|makeresults |eval IP="10.10.35.*" | lookup tools IP
gets me back tool=Splunk
is there something that I am misunderstanding about the UI based lookup wildcard? Something else that I should be doing?
 
					
				
		
It should be WILDCARD(IP), not WILDCARD (IP).  It should also be:
IP,Tool
Splunk,10.10.35.*
Not:
IP: 10.10.35.*
Tool: Splunk
 
					
				
		
It should be WILDCARD(IP), not WILDCARD (IP).  It should also be:
IP,Tool
Splunk,10.10.35.*
Not:
IP: 10.10.35.*
Tool: Splunk
 
					
				
		
Tried 
match_type=WILDCARD(IP)
with the same results. Waited an hour as well, but still same results.
sorry on the csv.  I should have written that correctly.  Since it was just a lookup table, the data was actually stored correctly as 
 IP,Tool
 Splunk,10.10.35.*
Also tried
Tried 
match_type=WILDCARD(IP)
and changing the lookup table to
 IP,Tool
 Splunk,10.10.35.0/24
with the same results --no lookup match
although 
|makeresults |eval IP="10.10.35.0/24" | lookup tools IP
does return a Tool value of Splunk 
 
					
				
		
For now I cheated and re-evaluated the query IP to match the lookup.
First checks the lookup for a full IP match, and then checks for a match on the final octet "wildcarded".    
|makeresults |eval IP="10.10.35.9" 
| lookup tools IP 
| eval IP3=IP 
| rex mode=sed field=IP3 "s/(?<IP3>\d{1,3}\.\d{1,3}\.\d{1,3}+\.)\d{1,3}/\1*/g" 
| lookup tools IP as IP3 OUTPUTNEW 
 
					
				
		
OK. Learned where I went wrong on this one.
I actually entered
match_type=WILDCARD(IP)
into the UI.
I actually only needed to enter 
WILDCARD(IP)
