Splunk Search

How to automatically change a field value from lookup table?

MScottFoley
Path Finder

I have logs with a Customer field where the name of the customer is not consistent.  
  customer=Bobs Pizza
  customer=Bob's Pizza
  customer=Bobs Pizzeria

I want to use an automatic lookup to change all to a standard name without needing to changing existing searches.  

customer_lookup.csv
  customer_name,standard_customer_name
  Bobs Pizza,Bob's Pizza
  Bobs Pizzeria,Bob's Pizza

I am trying to do this with a lookup table in the search before I try to make it an automatic lookup. 

| lookup customer_lookup customer_name as Customer output standard_customer_name AS Customer

This lookup only works if the Customer returned in the search is actually in the lookup table.  So Customer="Bobs Pizza" is in the result, but Customer="Frank's   Artichokes" is not.  I can't add all customers to the table.  I have tried many forms of the lookup.  I can get a list with the original Customer name and the standard customer name in one exists, but that won't work for current searches.   
 

Can this be done?  I would think it could cause problems since someone could add an automatic lookup to hide certain things if needed.  

Labels (1)
Tags (1)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

You are overwriting Customer so if your lookup is not found, it will overwrite Customer

Do it like this

| lookup customer_lookup customer_name as Customer output standard_customer_name 
| eval Customer=coalesce(standard_customer_name, Customer)

so, if your Customer does not exist in the lookup, it will return a null standard_customer_name and then the coalesce will just use the original Customer

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

You are overwriting Customer so if your lookup is not found, it will overwrite Customer

Do it like this

| lookup customer_lookup customer_name as Customer output standard_customer_name 
| eval Customer=coalesce(standard_customer_name, Customer)

so, if your Customer does not exist in the lookup, it will return a null standard_customer_name and then the coalesce will just use the original Customer

MScottFoley
Path Finder

That is perfect.  I see now why it was not working before.  

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MScottFoley ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MScottFoley ,

only to complete the solution from @PickleRick that's perfect, you have to:

  • go in [Settings > Lookups > Lookup definitions]
  • choose the lookup
  • flag Advanced Options
  • insert "WILDCARD" in Match Type
  • Save

Ciao.

Giuseppe

PickleRick
SplunkTrust
SplunkTrust

You can create a lookup with a WILDCARD match type.

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...