About lookup command when the lookup file contains strings and regular expressions

Question

I have a question about the lookup command when the lookup file contains strings and regular expressions.

The following is an example.

field var_1 : String

field var_2 : String

field var_3 : Regex or String

field var_4 : String

lookup file

------lookup file-----------------------------
var_1, var_2, var_3, var_4
data10, data11, .+(:?aaa|bbb), data13
data20, data21, .+(:?ccc|ddd|eee), data23
data30, data31, .+(:?eee)fff+(:?ggg|hhh), data33
--------------------------------------------------

I would like to return var_4 when var_1, var_2, and var_3 are matched by the lookup command, but var_3 may contain a regular expression, and the lookup needs to match the condition of the regular expression. As you know, regular expressions are not allowed in the lookup-field in the lookup command.

↓↓↓ Regular expressions cannot be used ↓↓↓

| makeresults
| eval var_1 = "data10", var_2 = "data11" , var_3 = "ABC123aaa"
| lookup var_1 var_2 var_3 OUTPUT var_4

It is necessary to use the lookup file (csv). If the lookup command is not the best way to solve this problem, then another command such as join is fine to use. Obviously, I don’t intend to use only the lookup command. I’m looking for other ways to do it as well.

Can someone please help me with this?

Thanks in advance!!

Answer 1

Lookup files support only exact string matching. Lookup definitions also support wildcard and CIDR matches.

Regular expressions can be used, but are treated as exact strings unless the field is set up for wildcard matching in the lookup definition. Even then, wildcards in the regex are treated as such and the remaining characters in the regex are matched literally.

The lookup command in the example SPL is invalid because a lookup table or file is not specified.