All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find a value from a lookup table inside a field from search

genesiusj
Builder
‎04-06-2021 01:59 PM

Hello,

I have a lookup table that contains some words: ANGEL, DEVIL, CHURCH, KING, LOVE etc.
I have a search that returns a list of garbled letters: GJKLSER, WIUPAF, NVSDEVILDFP, QNJSANGELW, KINGGVSCHURCH, TRANGELOVEMGX, etc.

Need to find when the word from the lookup is contained in the list of garbled letters (highlighted red above). Also need to know which word(s) were found, as in the green example above; including if the lookup words overlap, as in the purple letter example above.

Each word in the lookup table has a corresponding score, which needs to be included in the results. 

Lastly, the lookup table contains over 1000 words/scores. Otherwise, I would think a foreach would work.

Thanks in advance for ideas, thoughts, direction.

God bless and safe and healthy to you and yours,
Genesius

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 02:10 PM

In your lookup, add the words with leading and trailing * characters and make a lookup definition that sets the match type for that field as wildcard, e.g.

WILDCARD(fieldName) 

then when you lookup your field, it will get a match. Use lookup like this

| lookup lookup_definition word OUTPUT word as found_word score

so, the word actually found will be returned as a new field found_word

Hope this helps

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-06-2021 02:10 PM

In your lookup, add the words with leading and trailing * characters and make a lookup definition that sets the match type for that field as wildcard, e.g.

WILDCARD(fieldName) 

then when you lookup your field, it will get a match. Use lookup like this

| lookup lookup_definition word OUTPUT word as found_word score

so, the word actually found will be returned as a new field found_word

Hope this helps

 

Reply
Solved! Jump to solution

genesiusj
Builder
‎04-06-2021 02:36 PM

@bowesmana 

That was PERFECT!

While I have made lookup defs before, I never used them. I didn't know that the def could be used in place of the file name in the lookup command. I understood about the WILDCARD and my lookup included *ANGEL*, etc.

Thanks and God bless,
Genesius

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...