- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I join a data model with a lookup using a wild...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I have an issues where I am joining a Data-model with a lookup table and its working very well.
We are looking to extend the usability to add a wild-character * into the lookup . So in the lookup we don't have to keep adding in the full string name, we can add in part of it then * [For Example XYZ*]
One table is Datamodel
Context_Command
NULL#NULL
cancel#Exit
Dealinput#Eventslist
SessionCreate#MXODR
DictionaryManager#NULL
Seconds Table Lookup is smaller a sub set
Context_Command
NULL#NULL
cancel#Exit
SessionCreate#MXODR
Proposed Second Table (With Wilde characters)
NULL*
cancel#Ex*
SessionC*
Current code that i have
| join Context+Command type=left [inputlookup TEST_MXTIMING.csv | rename Context_Command AS Context+Command ]
Any help would be brill : )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, for your current implementation, I would get away from using join and use lookup command instead like this
your data model search
| lookup TEST_MXTIMING.csv Context_Command AS "Context+Command"
For using wildcard in lookup matching, YOu would need to configure a lookup definition for your lookup table with match_type as wildcard. See this link for how to implement the same.
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html
Once you've a lookup definition, your query should look like this
your data model search
| lookup YourLookupDefinitionName Context_Command AS "Context+Command"
FYR, these would the configuration changes for your lookup definition
All changes in Search Head(s)
transforms.conf:
[TEST_MXTIMING]
filename = TEST_MXTIMING.csv
match_type = WILDCARD(Context_Command)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, for your current implementation, I would get away from using join and use lookup command instead like this
your data model search
| lookup TEST_MXTIMING.csv Context_Command AS "Context+Command"
For using wildcard in lookup matching, YOu would need to configure a lookup definition for your lookup table with match_type as wildcard. See this link for how to implement the same.
https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html
Once you've a lookup definition, your query should look like this
your data model search
| lookup YourLookupDefinitionName Context_Command AS "Context+Command"
FYR, these would the configuration changes for your lookup definition
All changes in Search Head(s)
transforms.conf:
[TEST_MXTIMING]
filename = TEST_MXTIMING.csv
match_type = WILDCARD(Context_Command)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer for the most part this has worked, however i am not sure if what i am see it a "bug"
So i hvae replaced the Join and now i have the following
| lookup MXTIMING_lookup Context_Command AS "Context+Command" OUTPUT Tags CC_Description Threshold
The issues is that the lookup wild characters are giving me strange answers. So Example 1 - Working
This is the look up table - I get 10 Row returned to me [As i should] It finds a match for NULL#Login and this is good
Context_Command CC_Description Tags Alert Threshold
NULL#Login TEST2 TEST2 y 5
Then i change the lookup table to have the wild characters NUL* + NULL#Login (So perhaps the user made a mistake) [Now i only get 8 row returned to me and the 2 rows with NULL#Login are excluded]
Context_Command CC_Description Tags Alert Threshold
NUL* TEST1 TEST2 y 5
NULL#Login TEST2 TEST2 y 5
Is there a setting i can set for this?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
