Solved: Re: How are values in lookups matched?

gkanapathy · ‎03-17-2010

When a field value is passed to a lookup, what are the limits on how it can match the value in the lookup? Specifically:

Is the match case-sensitive? If not, what locale rules are used? Similarly, is it diacritic-sensitive?
Are any kinds of wildcards allowed? Can I use, e.g., * or Prefix-* in a lookup table and expect it to match an event field value like Prefix-1?

Jason · ‎07-13-2012

As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:

case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should be specified in this list

case_sensitive_match applies to all fields in the lookup.

What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.

View solution in original post

Jason · ‎07-13-2012

As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match and match_type to set the behavior of field matching in lookups:

case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)

match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT.  EXACT is the default and does not need to be specified.  Only fields that should use WILDCARD or CIDR matching should be specified in this list

case_sensitive_match applies to all fields in the lookup.

What match_type means, if I remember correctly, is that if you have field1=foobar in your event, and a lookup file with a foo* line in it, match_type = WILDCARD(field1) will make foobar match foo*.

bsayatovic · ‎02-25-2013

What about a prefixed wildcard instead of suffix? e.g. will a lookup file with a "*bar" line in it, match_type = WILDCARD(field1) match "foobar"? I've tried this but can't get it to work, but maybe I've done something else wrong.

sinvin · ‎09-30-2021

Hey @bsayatovic ,
Did you happen to find a solution for the prefix wildcard? I am running into same issue, so wondering if you found a way around it.

steveyz · ‎04-08-2010

Matches are case sensitive as well as diacritic-sensitive.

No wildcards are allowed at this time.

lguinn2 · ‎07-26-2012

This is true by default, but you can now change this to some degree.

How are values in lookups matched?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...