Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

reverse wildcard lookup from event field in index

luck123813
Explorer
‎02-24-2020 08:20 PM

Hello Everyone

I am trying to see if i can pass an event field over to a lookup attached with a wildcard (reverse lookup from event filed) ? For this an example I will use the items below

table = user_table.csv
lookup = user_table_loookup

user_table.csv data below:
email, manager_name
user1@domain_1.com, "Doe, John"

I have an event field within an index of . I then have a lookup table (.csv) that contains a column email and manager_name* within the user_table_loookup.

Is it possible to attach a wildcard to the username filed and send it against the lookup table to match the username portion of the email and return the manager_name from the lookup?

index=index_1 username=user1 | lookup user_table_loookup email AS username OUTPUT manager_name

username >> email
user1 >>>> user1@domain_1.com

0 Karma
Reply
Get Updates on the Splunk Community!

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...