About mjpieters

mjpieters · ‎01-20-2015

The validate-regex command sounds just the ticket, but in 6.0.4 it doesn't appear to exist. The only reference to the tool that I can find is your post. Presumably it is new in 6.1 then?

mjpieters · ‎01-13-2015

As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used: | fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok instead in the query; e.g. when the lookup fails supply default values manually. Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.

mjpieters · ‎01-12-2015

We are using a CSV to map one field to two more: status,status_title,status_type,status_ok -,Network connection successful,Network success,Success D,DNS lookup failure,Network failure,Failure etc, with a lookup: lookup network_status_codes status AS receiver_network_status OUTPUTNEW status_title AS network_status_title, status_type AS network_status_type, status_ok AS network_status_ok How can I handle falling back to defaults for all three columns? The default_match field appears to only let me provide one fallback; I don't think I can use: [network_status_codes] filename = network_status_codes.csv min_matches = 1 default_match = Unknown network error,Network failure,Failure here. Should I use a wildcard match instead? E.g. add a row: *,Unknown network error,Network failure,Failure then set the match type: match_type = WILDCARD(status) to make this work?

Posts	3
Solutions	1
Karma Given	0
Karma Received	1
Member Since	‎08-29-2013

Online Status	Offline
Date Last Visited	‎06-05-2020 02:04 AM

Lookup default_match for multiple columns?

Re: What's the best way to track down props.conf p...

Re: Lookup default_match for multiple columns?

Lookup default_match for multiple columns?