Solved: Re: Unable to perform wildcard lookups

dpochopsky · ‎03-22-2017

I'm having difficulty getting the wildcard lookups to work for me.

LookupTable:
path,command,description
*b/c/d,command1*,description1
a/b/c,command2*,description2
*e/f,command2*,description3
*b/c/d,command3*, description4

Sample fields/results
a/b/c/d,command1aa ==> description1
a/b/c,command2bb ==> description2
d/e/f,command2bb ==> description3

Transform.conf:
[CommandTree]
filename = CommandTree.csv
match_type = WILDCARD(path,command)

I've also tried WILDCARD(path) WILDCARD(command)

SEARCH-STRING | lookup CommandTree.csv path AS field_path command AS field_command OUTPUT description

I've also tried using a single wildcard, and I'm still not getting a match. If I change the lookup table and fields to exact matches everything works as expected.

I'm using version Splunk Enterprise:
Splunk Version 6.5.2
Splunk Build 67571ef4b87d

Thanks in advance,
Dave

martin_mueller · ‎03-22-2017

Your lookup command is referring to a csv file, not to a lookup definition - use lookup CommandTree instead.

Additionally, it should be match_type = WILDCARD(field1), WILDCARD(field2).

View solution in original post

martin_mueller · ‎03-22-2017

Your lookup command is referring to a csv file, not to a lookup definition - use lookup CommandTree instead.

Additionally, it should be match_type = WILDCARD(field1), WILDCARD(field2).

dpochopsky · ‎03-22-2017

Thanks for your help Martin, it is now working.

Regards,
Dave

Unable to perform wildcard lookups

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases