Add field matching rules to your lookup configuration
These attributes provide field matching rules for lookups. They can be applied to all three lookup types. Add them to the
transforms.conf stanza for your lookup.
||The maximum number of possible matches for each value input to the lookup table from your events. Range is 1-1000. If the
time_field attribute is is not specified, Splunk software uses the first
<integer> entries, in file order. If the
time_field attribute is specified (because it is a time-bounded lookup), Splunk software uses the first
<integer> entries, in descending time order. In other words, up to
<max_matches> are allowed to match. When this number is surpassed, Splunk software uses the matches closest to the lookup value.
|100 if the |
time_field attribute is not specified. 1 if the
time_field attribute is specified.
||The minimum number of possible matches for each value input to the lookup table from your events. You can use
default_match to help with situations where there are fewer than
min_matches for any given input.
|0 for both non-time-bounded lookups and time-bounded lookups, which means nothing is output to your event if no match is found.
min_matches is greater than 0 and and Splunk software finds fewer than
min_matches for any given input, it provides this
default_match value one or more times until the
min_matches threshold is reached.
true to consider case when matching input lookup table fields. Specify
false to ignore case when matching lookup fields.
Does not apply to KV Store lookups. Reverse lookups also require
||For reverse lookups, the definition of the "input field" and the "output field" are flipped. Because the Splunk software applies
case_sensitive_match to the input field, this means that reverse lookups need an additional case-sensitive match setting for the output field. When
reverse_lookup_honor_case_sensitive_match=true and when
case_sensitive_match=true, Splunk software performs case-sensitive matching for all fields in reverse lookups. When
reverse_lookup_honor_case_sensitive_match=false, Splunk software performs case-insensitive matching for all fields in reverse lookups, even when
This setting does not apply to KV Store lookups. This setting may default to
false in an upcoming release.
||Allows non-exact matching of one or more fields arranged in a list delimited by a comma followed by a space. Format is
match_type = <match_type>(<field_name1>, <field_name2>,...<field_nameN>). Set
WILDCARD to apply wildcard matching, or set it to
CIDR to apply CIDR matching (specifically for IP address values).
EXACT (does not need to be specified)