We are using a CSV to map one field to two more:
status,status_title,status_type,status_ok -,Network connection successful,Network success,Success D,DNS lookup failure,Network failure,Failure
etc, with a lookup:
lookup network_status_codes status AS receiver_network_status OUTPUTNEW status_title AS network_status_title, status_type AS network_status_type, status_ok AS network_status_ok
How can I handle falling back to defaults for all three columns? The default_match
field appears to only let me provide one fallback; I don't think I can use:
[network_status_codes] filename = network_status_codes.csv min_matches = 1 default_match = Unknown network error,Network failure,Failure
here.
Should I use a wildcard match instead? E.g. add a row:
*,Unknown network error,Network failure,Failure
then set the match type:
match_type = WILDCARD(status)
to make this work?
As I could not get the WILDCARD
approach to work (the lookup always fails and the fields end up as NULL), I used:
| fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok
instead in the query; e.g. when the lookup fails supply default values manually.
Although the WILDCARD
should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull
is better from a performance point of view here.
The wildcard requires enabling in transforms.conf
, e.g.
match_type = WILDCARD(status)
max_matches = 1
The max_matches
stops the status matching the wildcard for known values. The lookup csv file can then have an extra entry:
*,Default title,Default type,Default ok
As I could not get the WILDCARD
approach to work (the lookup always fails and the fields end up as NULL), I used:
| fillnull value="Unknown network error" network_status_title | fillnull value="Network Error" network_status_type | fillnull value="Failure" network_status_ok
instead in the query; e.g. when the lookup fails supply default values manually.
Although the WILDCARD
should have worked (I probably didn't re-load the dataset) I've since had confirmation from Splunk that using fillnull
is better from a performance point of view here.