Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

use wildcard in lookup

katalinali
Path Finder
‎11-02-2010 08:10 AM

I have a lookup table like:

input output

========================================

KH00IS23 ABC

. . .

KH00IS98 ABC

ER97IT00 ZXC

. . .

ER97IT45 ZXC

ER97IT55_1432 ZXC03

. . .

ER97IT55_4988 ZXC03

ER97IT60_3421 UYT

. . .

ER97IT60_8764 UYT

I have several thousand of inputs but it just matches to about fifty output and the overhead of extracting all the fields is very high. I would like to ask if splunk can support wildcard or regex in lookup to the performance. By the way, is there default lookup like case i.e. if all value in a field is not match any record, then it should match to the default value.

Tags (1)
0 Karma
Reply

dvb
Path Finder
‎06-11-2012 12:40 AM

There actually is the possibility of using wildcards in lookups. See answer 28566

Reply

tawollen
Path Finder
‎12-16-2010 09:20 PM

Here is something else that might work.

  • | lookup mytable.csv input | eval output if(isnull(output),"default value", output)

This looks up a field in the lookup, if the field is not there, then it will put output as "default value"

0 Karma
Reply

ziegfried
Influencer
‎11-02-2010 02:41 PM

No, Splunk doesn't support wildcards or regular expressions in lookups. But you can specify a default value if none of the lookup values matches. You can do so by specifing min_matches=1 and default_match=TEXT either in the stanza in transforms.conf or in the manager in the Advanced Options of the lookup.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎06-11-2012 01:18 AM

This answer was correct, but is out of date as of version 4.2

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | Why did the turkey cross the road?

November 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...