Splunk Search

Can you help me with my wildcard search in a lookup?

swetar
New Member

Hi ,

I have created a csv lookup and wanted to perform wild card search on it. Is it possible?
lookup name # Inputlookup value.csv

Can anyone please suggest me on it.

Thanks in advance.
swetar

0 Karma

HiroshiSatoh
Champion

It can not be set in GUI when wild card is used. You need to edit the configuration file.

https://answers.splunk.com/answers/52580/can-we-use-wildcard-characters-in-a-lookup-table.html

0 Karma

tom_frotscher
Builder

Hi,

can you provide a little bit more context? How do you want to search on the lookup? Do you have a search example?

You can always use
| inputlookup value.csv | search foo=*

or you can use the where clause directly in the inputlookup command, which is better for performance:
| inputlookup value.csv where foo > 0

You can find more examples in the inputlookup documentation:
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/Inputlookup

Greetings

Tom

0 Karma

swetar
New Member

Thank you for your reply.
I wanted to use in the below way. I dont want to specify the column name
inputlookup value.csv| search "wildcharater"

0 Karma

tom_frotscher
Builder

You can not search in the lookup file without specifying a field. A lookup does not run through the indexing pipeline and therefore isnt tokenized and does not have a_raw field for example, therefore you can not search just for text.

But if your csv file has timestamps, you can of course just index your csv file, like you would index any other data.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...