Re: splunk lookup like match

VARWIZ · ‎01-05-2017

i have a lookup csv with say 2 columns

colA colB
sb12121 800
sb879898 1000
ax61565 680
ax7688 909

I need to perform a lookup search that matches like colA which may result in

sb12121 800
sb879898 1000

if one of the columns in the logs start with sb (note that it may not be an abs match)

I can write a query that absolutely matches with a field in column but I am not sure how to perform a like match. I read something about transforms.conf but not sure where and how to use it. all im trying to do is perform a simple search command, that can do this lookupfor me. do i really need the tranforms.conf file for this ? cant we not do a wildcard search directly in the query ?

somesoni2 · ‎01-05-2017

If you're looking for wildcarded lookup, then have a look at great answers here

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

https://answers.splunk.com/answers/214548/how-to-use-lookup-with-wildcards-to-filter-events.html

https://answers.splunk.com/answers/28566/how-to-use-wildcard-in-lookup-based-searches-and-alerts.htm...

VARWIZ · ‎01-06-2017

test.csv
item item_name item_type
1 google url
1 facebook url
1 intel url
1 apple url
1 espn url

index=proxylog| lookup test.csv item_name AS uri OUTPUT item_type | search item_type=*

this is not giving me any matches even though there are multiple google/facebook/intel matching uris in splunk events..

any idea why ?

splunk lookup like match

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation