- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Lookup default_match for multiple columns?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We are using a CSV to map one field to two more:
status,status_title,status_type,status_ok -,Network connection successful,Network success,Success D,DNS lookup failure,Network failure,Failure
etc, with a lookup:
lookup network_status_codes status AS receiver_network_status OUTPUTNEW
status_title AS network_status_title,
status_type AS network_status_type,
status_ok AS network_status_ok
How can I handle falling back to defaults for all three columns? The default_match field appears to only let me provide one fallback; I don't think I can use:
[network_status_codes] filename = network_status_codes.csv min_matches = 1 default_match = Unknown network error,Network failure,Failure
here.
Should I use a wildcard match instead? E.g. add a row:
*,Unknown network error,Network failure,Failure
then set the match type:
match_type = WILDCARD(status)
to make this work?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used:
| fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok
instead in the query; e.g. when the lookup fails supply default values manually.
Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The wildcard requires enabling in transforms.conf, e.g.
match_type = WILDCARD(status)
max_matches = 1
The max_matches stops the status matching the wildcard for known values. The lookup csv file can then have an extra entry:
*,Default title,Default type,Default ok
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As I could not get the WILDCARD approach to work (the lookup always fails and the fields end up as NULL), I used:
| fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok
instead in the query; e.g. when the lookup fails supply default values manually.
Although the WILDCARD should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull is better from a performance point of view here.
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
