Splunk Search

Wildcards working for inputlookup but not lookup?

jpawloski
Path Finder

Been targeting the same lookup definition and my lookup just refuses to recognize wildcards in my lookup table. My inputlookup works like so and properly accounts for the wildcards:

search NOT [|inputlookup bad_columns | table SCAN_TYPE TABLE NAME SINGLE_COLUMN]

My lookup is below and just doesn't work:

foreach Column* [lookup bad_columns SCAN_TYPE AS SCAN_TYPE TABLE_NAME AS TABLE_NAME SINGLE_COLUMN AS <<FIELD>> OUTPUT SINGLE_COLUMN as match | various other evals...]

I'm not sure if the <<FIELD>> rename is allowed or if match_type can vary between these two commands. I do not have access to transforms.conf, FYI.

0 Karma

janispelss
Path Finder

Did you set the match type to WILDCARD for your lookup? If not, then to get this working through the web UI go to Settings -> Lookups -> Lookup definitions. Find your lookup there, and in it's advanced options in the "Match type" field add WILDCARD(your_field) for any fields that you want to enable wildcard matching with. In your case I guess it would be

WILDCARD(SCAN_TYPE), WILDCARD(TABLE_NAME), WILDCARD(SINGLE_COLUMN)

This should allow the lookup command to correctly match using wildcards.

0 Karma

jpawloski
Path Finder

I'm on Splunk 6.2 so I do not have this option. But are you saying lookups and inputlookups can have different match_types?

0 Karma

janispelss
Path Finder

Ah, didn't realize that the UI part was a somewhat recent addition. So to get the wildcard matching for lookup command to work, I guess you'll probably need help from someone who does have the access to transforms.conf.

The thing with inputlookup is that it doesn't actually match anything. In the subsearch inputlookup just creates some table and that's where any lookup specific configurations end. The filtering is done by the search command - in a search command anything in the square brackets gets expanded into a series of search terms with AND and OR operators. You can see what it actually gets expanded to with the format command: | inputlookup some_lookup | table field1 field2 field3 | head 5 | format.

So if your lookup has "*" characters in it, they would simply become wildcards in a search command, and the match_type is never even used. Which is why your first search works correctly.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...