Add field matching rules to your lookup configuration
These attributes provide field matching rules for lookups. They can be applied to all four lookup types. Add them to the
transforms.conf stanza for your lookup.
||Integer||The maximum number of possible matches for each value input to the lookup table from your events. Range is 1-1000. If the
||100 if the |
||Integer||The minimum number of possible matches for each value input to the lookup table from your events. You can use
||0 for both non-time-bounded lookups and time-bounded lookups, which means nothing is output to your event if no match is found.|
Splunk software treats NULL values as matching values and does not replace them with the
Does not apply to KV Store lookups. Reverse lookups also require
||Boolean||For reverse lookups, the definition of the "input field" and the "output field" are flipped. Because the Splunk software applies
This setting does not apply to KV Store lookups. This setting may default to
||String||Allows non-exact matching of one or more fields arranged in a list delimited by a comma followed by a space. Format is
Example of using match_type for IPv6 CIDR match
In this example, you can use the the
match_type attribute in addition to the
lookup command to determine whether a specific IPv6 address is in a CIDR subnet. You can follow along with the example by performing these steps.
- Create a lookup table in the $SPLUNK_HOME/etc/apps/search/lookups folder called ipv6test.csv that contains the following text.
- Add the following entry to your local transforms.conf file, which is typically located in the $SPLUNK_HOME/etc/system/local folder. See How to edit a configuration file.
- Run the following search to match the IP address to the subnet.
Note that the
ip field in the lookup table contains the subnet value, not the IP address. This is because the
match_type attribute that will be added to the transforms.conf file in the next step tells the
lookup command that the value in that field is to be treated as a CIDR subnet for matching purposes.
filename = ipv6test.csv
| eval ip="2001:0db8:ffff:ffff:ffff:ffff:ffff:ff99"
| lookup ipv6test ip OUTPUT expected
The IP address is in the subnet, so search displays
true in the
expected field. The search results look something like this.
Configure geospatial lookups
Configure a time-based lookup
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4
Feedback submitted, thanks!