Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add field matching rules to your lookup configuration

These attributes provide field matching rules for lookups. They can be applied to all three lookup types. Add them to the transforms.conf stanza for your lookup.

Attribute Type Description Default
max_matches Integer The maximum number of possible matches for each value input to the lookup table from your events. Range is 1-1000. If the time_field attribute is is not specified, Splunk software uses the first <integer> entries, in file order. If the time_field attribute is specified (because it is a time-bounded lookup), Splunk software uses the first <integer> entries, in descending time order. In other words, up to <max_matches> are allowed to match. When this number is surpassed, Splunk software uses the matches closest to the lookup value. 1000 if the time_field attribute is not specified. 1 if the time_field attribute is specified.
min_matches Integer The minimum number of possible matches for each value input to the lookup table from your events. You can use default_match to help with situations where there are fewer than min_matches for any given input. 0 for both non-time-bounded lookups and time-bounded lookups, which means nothing is output to your event if no match is found.
default_match String When min_matches is greater than 0 and and Splunk software finds fewer than min_matches for any given input, it provides this default_match value one or more times until the min_matches threshold is reached. Empty string
case_sensitive_match Boolean Specify true to consider case when matching lookup table fields, false to ignore case.

Note: You do not need to set this attribute for KV store lookups. KV store lookups are always case sensitive .
True
match_type String Allows non-exact matching of one or more fields arranged in a list delimited by a comma followed by a space. Format is match_type = <match_type>(<field_name1>, <field_name2>,...<field_nameN>). Set match_type to WILDCARD to apply wildcard matching, or set it to CIDR to apply CIDR matching (specifically for IP address values). EXACT (does not need to be specified)
PREVIOUS
Configure geospatial lookups
  NEXT
Configure a time-based lookup

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5


Comments

Please provide more information on default_match:

It says that the default value is an empty string - does that mean that if default_match is specified without a value, an event for which no match is found in the lookup will still get all OUTPUT field(s), each having a value of empty string?

If one wants specific values for the OUTPUT fields in the "not found" case, as opposed to empty string, how are those specified (format, etc.)?

Thanks!

Brorymes
April 28, 2017

I second Badarsebard's REGEX request - great idea for more sophisticated pattern matching and validation!

Also, a general comment: For security reasons, we try to eliminate reasons for people to login to servers by providing other ways to get what they needed to login for (for instance use Splunk to scan logs!). It would be nice if the configuration parameters above could be set in the Lookup Editor app, instead of logging in to edit configuration files?

Thanks!

Brorymes
April 28, 2017

I'd like to request that a match_type of REGEX be added.

Ex.
Lookup Table:
phone,location
410-\d{3}-\d{4},MD
202-\d{3}-\d{4},DC

Event A:
caller=Bob phone=410-404-0000

search:
search caller=Bob | lookup area-code phone OUTPUT location

result:
caller=Bob phone=410-404-0000 location=MD

Badarsebard
April 4, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters