I've confronted issues like this before, and it's not totally straightforward. If the strings you're searching for all fall into the same field in the base events, you have a shot. First, you'll need to either change your existing lookup table into a wildcard lookup or duplicate your lookup table so you have two - your current table and another that is a wildcard lookup. Then you'd do something like this, assuming your error strings all appear in a field called message , for example:
index=syslogs
[| inputlookup ErrorString.csv
| table Error
| rename Error AS search
| format ]
| lookup ErrorStringWildcard.csv Error AS message OUTPUT Error AS matching_Error
| eval matching_Error=trim(matching_Error, "*")
A few major gotchas:
1. The lookup will be case-sensitive, so an event with "INVALID response from hook" will not match a wildcard lookup entry of "*Invalid response from hook*" . (There are some ways to get around this by making your lookup case-insensitive and having all of your wildcard lookup entries be in lower-case.)
2. This won't work if the Error string can appear in multiple fields. If that's the case, you'll need to either use coalesce to get them into a single field or run the lookup many times over multiple field names.
3. This really won't work well if the Error string can appear in the _raw data and isn't being extracted into a field.
If you've never set up a wildcard lookup before, this is a good guide:
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html
... View more
