Databases Reference
In-Depth Information
Using a lookup with wildcards
Splunk lookups also support wildcards, which we can use in this case.
One advantage is that we can define arbitrary fields for grouping, independent
of the values of
url
.
For a lookup wildcard to work, first we need to set up our
url
field and the lookup:
1. Extract the
url
field. The
rex
pattern we used before should work:
\s[A-
Z]+\s(?P<url>.*?)\s
. See
Chapter 3
,
Tables, Charts, and Fields
, for detailed
instructions on setting up a field extraction. Don't forget to set permissions
on the extraction.
2. Create our lookup file. Let's call the lookup file
flatten_summary_lookup.
csv
. Use the following contents for our example log:
url,section
/about/*,about
/contact/*,contact
/*/*,unknown_non_root
/*,root
*,nomatch
If you create your lookup file in Excel on a Mac, be sure to save the
file using the format Windows Comma Separated (
.csv
).
3. Upload the lookup table file, create our lookup definition, and automatic
lookup. See the
Using lookups to enrich data
section in
Chapter 6
,
Extending
Search
, for detailed instructions. The automatic lookup definition should look
like the following screenshot (the value of
Name
doesn't matter):
Search WWH ::
Custom Search