Hi all, I have a challenge, that i have been struggling for the past few days, and can't find the correct solution. I have read https://community.splunk.com/t5/Splunk-Search/Can-we-use-wildcard-characters-in-a-lookup-table/td-p/94513 and done pretty much exactly the same thing, but it doesn't work for me. So here are the details. I have a simple lookup csv file (2 columns ), first one with starting digits prefix, state 23401*, log1 23402*,log2 34602*,log5 ....etc I have used the GUI to create the lookup definitions, but i have also double-cheked transformes.conf and props.conf. It is exactly as in the example in the link. I can't make the wildcard work for me. Here is a simple search line just to illustrate source="log2.log" host="prod-splunk-indexer" sourcetype="testsource" | lookup prefixlookup.csv prefix OUTPUT state | table prefix state If i create lookup with exact matches, it works for the match everytime, however, my client requires only prefixchecks, and to me WILDCARD is the only solution. Any ideas? PS. I have actually created exact replica of the case(user,username, userlookup, etc) in the linked example, still doesn't work Have a great day!
... View more