When a field value is passed to a lookup, what are the limits on how it can match the value in the lookup? Specifically:
*
or Prefix-*
in a lookup table and expect it to match an event field value like Prefix-1
?As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match
and match_type
to set the behavior of field matching in lookups:
case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default and does not need to be specified. Only fields that should use WILDCARD or CIDR matching should be specified in this list
case_sensitive_match
applies to all fields in the lookup.
What match_type
means, if I remember correctly, is that if you have field1=foobar
in your event, and a lookup file with a foo*
line in it, match_type = WILDCARD(field1)
will make foobar
match foo*
.
As of Splunk 4.2(?), transforms.conf allows you to specify both case_sensitive_match
and match_type
to set the behavior of field matching in lookups:
case_sensitive_match = <bool>
* If set to false, case insensitive matching will be performed for all fields in a lookup table
* Defaults to true (case sensitive matching)
match_type = <string>
* A comma and space-delimited list of <match_type>(<field_name>) specification to allow for non-exact matching
* The avaiable match_type values are WILDCARD, CIDR, and EXACT. EXACT is the default and does not need to be specified. Only fields that should use WILDCARD or CIDR matching should be specified in this list
case_sensitive_match
applies to all fields in the lookup.
What match_type
means, if I remember correctly, is that if you have field1=foobar
in your event, and a lookup file with a foo*
line in it, match_type = WILDCARD(field1)
will make foobar
match foo*
.
What about a prefixed wildcard instead of suffix? e.g. will a lookup file with a "*bar" line in it, match_type = WILDCARD(field1) match "foobar"? I've tried this but can't get it to work, but maybe I've done something else wrong.
Hey @bsayatovic ,
Did you happen to find a solution for the prefix wildcard? I am running into same issue, so wondering if you found a way around it.
Matches are case sensitive as well as diacritic-sensitive.
No wildcards are allowed at this time.
This is true by default, but you can now change this to some degree.