Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Default values for CSV lookups that don't match?

plucas_splunk
Splunk Employee
Splunk Employee
‎02-27-2017 04:32 PM

I have a vehicle fleet lookup table like:

vehicle_id,vehicle_year,vehicle_type,vehicle_ends,vehicle_agency,vehicle_livery
1,1912,"A",2,"San Francisco Municipal Railway","San Francisco Municipal Railway"
228,1934,"",2,"Blackpool Tramways","Blackpool Tramways"
578,1896,"G",2,"Market Street Railway","Market Street Railway"
737,1952,"PCC",1,"Brussels, Belgium","Zurich, Switzerland"
1807,1928,"Milan",1,"Milan, Italy","Milan, Italy (1928)"

A transforms.conf file like:

[Historic_fleet]
filename = Historic_fleet.csv

And a props.conf file like:

[NextBus]
category = Custom
disabled = false
LOOKUP-fleet = Historic_fleet vehicle_id

This all works fine. However, there are occasionally other vehicles out that are busses. They have their own vehicle_ids that are not in the lookup table. What I want is to have any vehicle_id that is not found to map to a vehicle_type=bus. I'd like to do this automatically so I don't have to do it for every query I write.

I'm aware that a lookup table can have a default value, but how do you specify that a default value of, say, bus, is supposed to go into the vehicle_type field?

Can I do this with static tables? Or must I resort to using an external lookup Python script?

0 Karma
Reply

woodcock
Esteemed Legend
‎02-28-2017 10:29 AM

There is nothing really automatic that doesn't overkill like @lguinn said, but you can do this manually:

... | lookup YourLookup | fillnull value="bus" vehicle_type

Or like this:

...  | eval vehicle_type="bus" | lookup YourLookup

Or even like this:

... | lookup YourLookup | eval vehicle_type=coalesce(vehicle_type, "bus")

You can add this to a macro (e.g. default_to_bus_vehicle_lookup) to make it centrally manageable and "automaticish".

0 Karma
Reply

lguinn2
Legend
‎02-27-2017 04:42 PM

The default value that you specify is placed into all fields that are returned from the lookup, when there is no match. Default values work with static tables.

I highly recommend setting a default value for lookup tables. It is an excellent solution to this sort of problem.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...