- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to set up an automatic lookup where a predefin...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to set up an automatic lookup where a predefined value is used when there is no match in the lookup?
Hi,
I would like to set up an automatic lookup, where a predefined value is used when there is no match in the lookup.
Let's say the lookup input field is Key=A and the lookup output field is amount=250. For events without Key=A the output should always be amount=100.
Using
| fillnull value=100 amount
in every the search would be possible, but including it in the automatic lookup would be much better. Is this possible?
Thanks in advance
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mus,
thanks for your answers, this seems to be a possible solution.
I've found another option in the lookup "definitions" which is easier to use.
Minium matches: 1
Default matches: 100
BR
Heinz
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nice, this ends in transforms.conf as default_match
default_match = <string>
* If min_matches > 0 and Splunk has less than min_matches for any given input, it provides
this default_match value one or more times until the min_matches threshold is reached.
* Defaults to empty string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi HeinzWaescher,
you could setup an eval-based statement in props.conf :
EVAL-<fieldname> = <eval statement>
* Use this to automatically run the <eval statement> and assign the value of the output
to <fieldname>. This creates a "calculated field."
* When multiple EVAL-* statements are specified, they behave as if
they are run in parallel, rather than in any particular sequence.
For example say you have two statements: EVAL-x = y*2 and EVAL-y=100. In this case, "x"
will be assigned the original value of "y * 2," not the value of "y" after it is set to 100.
* Splunk processes calculated fields after field extraction and field aliasing but before
lookups. This means that:
* You can use a field alias in the eval statement for a calculated field.
* You cannot use a field added through a lookup in an eval statement for a calculated
field.
The eval could look like this:
EVAL-amount = if(isnull(amount), "100" , amount)
This is untested so maybe you need to adapt it to your needs
cheers, MuS
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
