Handling Wildcard Characters In Lookup File
Hi Guys!!!
Today we have come with an interesting new trick about lookup files. We will show you how we can use a lookup file which contains wild card characters. If you don’t know the what is lookup and what is the usage of lookup please check out our earlier blogs.
LOOKUPS – LOOKUP TABLE FILES ( PART – 1 )
LOOKUPS – LOOKUP DEFINITION AND AUTOMATIC LOOKUP ( PART – 2 )
So, let’s start.
Here we are going to use two lookup files,
1) OperatingSystem.csv
2) MatchingOS.csv
Step: 1
Please, see the below image to see the content of OperatingSystem.csv.
Explanation:
Here, we have one field called “os_version”, which contains some OS information.
Step: 2
Please, see the below image to see the content of MatchingOS.csv.
Here, we have two fields called “matchingOS” and “os_version”,
If you will see properly in the field “os_version” we have values with wild card character (*). For each value of “os_version” we have corresponding value in “matchingOS” field.
Now, we want to make a query where we will get the “matchingOS” field values using “os_version” field as a matching field in between the two lookup files “OperatingSystem.csv” and “MatchingOS.csv”
Step: 3
Please, see the below query,
| inputlookup OperatingSystem.csv
| lookup MatchingOS.csv os_version
Explanation:
| inputlookup OperatingSystem.csv -> To get the content of OperatingSystem .csv file.
| lookup MatchingOS.csv os_version -> To use the MatchingOS.csv file to perform lookup and to get the additional field “matchingOS” using the field “os_version” field as matching field.
But, as you can see the “matchingOS” field contains null values, i.e. it is unable to fetch any value for the “matchingOS” field from the “MatchingOS.csv” file.
The reason of this is the field “os_version”, by default lookup command can’t perform lookup with wildcard values.
So, now to match this field “os_version” with wild card characters using lookup command we have to do some extra steps.
Now, we will create lookup definition for the lookup file “MatchingOS.csv”. TO create that follow the below steps properly.
Step: 4
Click on the “Lookups” option under “Settings”.
Step: 5
Now, click on the “+ Add new” option beside of the “Lookup definitions” to create new lookup definition for the lookup file “MatchingOS.csv”
Step: 6
Explanation:
Here, in the “Name” option we have given a definition name as “MatchingOS” which we will use in the next query [You can use any relevant name.]
Then in the “Lookup file” dropdown we have selected the file which has wild card character based values i.e. “MatchingOS.csv”
Now, we have to check the box of “Advanced options” to get the advanced options. Please, see the below image.
Explanation:
After checking the box of “Advanced options” we got these options.
Now, in the “Match type” option we have given “WILDCARD(os_version)” because “os_version” field has wild card characters.
Then click on the “Save” option to save the changes.
Step: 7
Please, see the below query,
| inputlookup OperatingSystem.csv
| lookup MatchingOS os_version
Explanation:
AS you can see, in the above image we have used,
| inputlookup OperatingSystem.csv -> To get the content of OperatingSystem .csv file.
| lookup MatchingOS os_version -> Here we have the lookup definition file called “MatchingOS” to perform lookup. We got the additional field “matchingOS” using the field “os_version” field as matching field.
As, you can see in the above image we are getting the “matchingOS” field values from the “MatchingOS.csv” file.
eg: “MacOS” for “MacOS 10.13”
“Windows Server 2016” for “Windows Server 2016 32-bit” etc.
Hope you have understood the topic : Handling Wildcard Characters In Lookup File
Happy Splunking !!!
