Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

use wildcard in lookup

katalinali
Path Finder
‎11-02-2010 08:10 AM

I have a lookup table like:

input output

========================================

KH00IS23 ABC

. . .

KH00IS98 ABC

ER97IT00 ZXC

. . .

ER97IT45 ZXC

ER97IT55_1432 ZXC03

. . .

ER97IT55_4988 ZXC03

ER97IT60_3421 UYT

. . .

ER97IT60_8764 UYT

I have several thousand of inputs but it just matches to about fifty output and the overhead of extracting all the fields is very high. I would like to ask if splunk can support wildcard or regex in lookup to the performance. By the way, is there default lookup like case i.e. if all value in a field is not match any record, then it should match to the default value.

Tags (1)
0 Karma
Reply

dvb
Path Finder
‎06-11-2012 12:40 AM

There actually is the possibility of using wildcards in lookups. See answer 28566

Reply

tawollen
Path Finder
‎12-16-2010 09:20 PM

Here is something else that might work.

  • | lookup mytable.csv input | eval output if(isnull(output),"default value", output)

This looks up a field in the lookup, if the field is not there, then it will put output as "default value"

0 Karma
Reply

ziegfried
Influencer
‎11-02-2010 02:41 PM

No, Splunk doesn't support wildcards or regular expressions in lookups. But you can specify a default value if none of the lookup values matches. You can do so by specifing min_matches=1 and default_match=TEXT either in the stanza in transforms.conf or in the manager in the Advanced Options of the lookup.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-11-2012 01:18 AM

This answer was correct, but is out of date as of version 4.2

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...