Splunk Search

How are values in lookups matched?

gkanapathy
Splunk Employee
Splunk Employee

When a field value is passed to a lookup, what are the limits on how it can match the value in the lookup? Specifically:

  • Is the match case-sensitive? If not, what locale rules are used? Similarly, is it diacritic-sensitive?
  • Are any kinds of wildcards allowed? Can I use, e.g., * or Prefix-* in a lookup table and expect it to match an event field value like Prefix-1?
Tags (2)
1 Solution

Jason
Motivator

As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:

case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should be specified in this list

case_sensitive_match applies to all fields in the lookup.

What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.

View solution in original post

Jason
Motivator

As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:

case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should be specified in this list

case_sensitive_match applies to all fields in the lookup.

What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.

bsayatovic
Path Finder

What about a prefixed wildcard instead of suffix? e.g. will a lookup file with a "*bar" line in it, match_type = WILDCARD(field1) match "foobar"? I've tried this but can't get it to work, but maybe I've done something else wrong.

sinvin
Engager

Hey @bsayatovic ,
Did you happen to find a solution for the prefix wildcard? I am running into same issue, so wondering if you found a way around it.

0 Karma

steveyz
Splunk Employee
Splunk Employee

Matches are case sensitive as well as diacritic-sensitive.

No wildcards are allowed at this time.

lguinn2
Legend

This is true by default, but you can now change this to some degree.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...