- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How are values in lookups matched?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When a field value is passed to a lookup, what are the limits on how it can match the value in the lookup? Specifically:
- Is the match case-sensitive? If not, what locale rules are used? Similarly, is it diacritic-sensitive?
- Are any kinds of wildcards allowed? Can I use, e.g.,
*orPrefix-*in a lookup table and expect it to match an event field value likePrefix-1?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:
case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default and does not need to be specified. Only fields that should use WILDCARD or CIDR matching should be specified in this list
case_sensitive_match applies to all fields in the lookup.
What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:
case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default and does not need to be specified. Only fields that should use WILDCARD or CIDR matching should be specified in this list
case_sensitive_match applies to all fields in the lookup.
What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about a prefixed wildcard instead of suffix? e.g. will a lookup file with a "*bar" line in it, match_type = WILDCARD(field1) match "foobar"? I've tried this but can't get it to work, but maybe I've done something else wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @bsayatovic ,
Did you happen to find a solution for the prefix wildcard? I am running into same issue, so wondering if you found a way around it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Matches are case sensitive as well as diacritic-sensitive.
No wildcards are allowed at this time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is true by default, but you can now change this to some degree.
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
