Lookups and non matching values

samhughe · ‎08-01-2013

One of our users has a lookup requirement that I'm struggling to find a workable solution. They want to have a number of fields automatically looked up, but need any non matching values to be returned 'as is' rather than a default generic value.

I've tried csv lookups and they look fine except the non matching values

I've tried scripted lookups and these can be used to return the non-matching values but introduce a new problem. They don't take effect at the right time so I have to have a " | search ...." after the initial search queries and so makes the usability of the lookups much less user friendly.

Any suggestions?

samhughe · ‎08-06-2013

Best way I've found so far is to use eval and case based on sowings answer in http://splunk-base.splunk.com/answers/43893/case-defaulting-to-value-rather-than-null

lukejadamec · ‎08-01-2013

In Manager > Lookups > Lookup Definitions > your lookup

Have you tried Advanced Options with Min = 1, Max = 1, and Default (less than min) = As Is?

lukejadamec · ‎08-01-2013

I beg to differ. I just tested it.
If you comment out an common entry (line) from a lookup.csv (hence create a non-matching value) then As Is shows up in the results.
Are you sure you worded your question correctly?
You might want to verify that the value you are entering in the GUI is being sent to the right transforms.conf (perhaps you have a conflicting transforms.conf).

samhughe · ‎08-01-2013

Thanks for the suggestion but this just uses the default of NONE for all non matching values unfortunately

Lookups and non matching values

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life