Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

reverse wildcard lookup from event field in index

luck123813
Explorer
‎02-24-2020 08:20 PM

Hello Everyone

I am trying to see if i can pass an event field over to a lookup attached with a wildcard (reverse lookup from event filed) ? For this an example I will use the items below

table = user_table.csv
lookup = user_table_loookup

user_table.csv data below:
email, manager_name
user1@domain_1.com, "Doe, John"

I have an event field within an index of . I then have a lookup table (.csv) that contains a column email and manager_name* within the user_table_loookup.

Is it possible to attach a wildcard to the username filed and send it against the lookup table to match the username portion of the email and return the manager_name from the lookup?

index=index_1 username=user1 | lookup user_table_loookup email AS username OUTPUT manager_name

username >> email
user1 >>>> user1@domain_1.com

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...