icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Fuzzylookup
SHA256 checksum (fuzzylookup_107.tgz) f915437734a20c7ee09819785cc5bee40de4e998039e5b0c091c7dc99ec88e61 SHA256 checksum (fuzzylookup_106.tgz) c0ae6d8ce1498993b6941f3560c4969c37461f72440a19698fb7c0c0a64ca07e SHA256 checksum (fuzzylookup_105.tgz) bf906fb2e00751c2cbbb7974b26c24d2d4a870cf7676c39f2c021674388bfe3e SHA256 checksum (fuzzylookup_104.tgz) 221e557fb43046f09b6727cbe1a9d61600c5b5053e914c967f101a7647bf2b3f SHA256 checksum (fuzzylookup_103.tgz) 9249807a2e3b8f4f44c88bc50a8e1264b8de41a6dcfff2bd16a29c280816dc7f SHA256 checksum (fuzzylookup_102.tgz) 155359de2a808b7f5383abd214e0d4b6175952de3976cf693a269bfe509e33e3 SHA256 checksum (fuzzylookup_100.tgz) d69d772f2cbdd16524790a0f880e9d3bfa08f44cb7e7718ea500751d58b31c9f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate



Splunk Cloud
Inspired by customer use cases, this app allows you to apply fuzzy logic to lookups from your search result fields for near-matches. Applications include:

- Domain analysis (e.g. lookalike domains)
- Blacklist similarity
- Typo identification

For example, "splunk1" from your events could match "splunk2" in your lookup. Many options are available to customize this behavior and optimize the performance based on your data.

If you find this free app useful, please be sure to give it a rating.

Fuzzylookup - Splunk App by Deductiv

This app allows you to apply fuzzy logic to lookups from your search result fields for near-matches. Use cases include:

  • Domain analysis (lookalike domains)
  • Blacklist similarity
  • Typo identification
Supported Splunk versions: 7.3.x, 8.0.x
Configuration Steps: N/A

Fuzzylookup search command (fuzzylookup)


search | fuzzylookup 
    [ prefix=<string> ]
    [ addmetrics=[True|False] ]
    [ lookupfilter=<kvpairs> ]
    [ mask=<regex> ]
    [ delete=<regex> ]
    ( <lookup-field> [AS <event-field>] ) 
    [ OUTPUT | OUTPUTNEW (<lookup-destfield> [AS <event-destfield>] ) ... ]


Cross-reference your search fields against lookup data for non-exact matches, with the fields from the lookup entry/entries with the best score being appended to the event.

  • The Levenstein algorithm (from the jellyfish library) is applied to compute a match score.
    • If there are multiple entries with the same score, the tie is broken by how many characters are exact matches.
    • If multiple entries still have the same result, the lookup data is added to the event as multivalue fields.
  • Lookups can be filtered to limit comparisons with event fields and improve performance. Wildcards are supported.
    • Static filters apply for the entire lookup and limit the global dataset being used.
    • Dynamic filters take data from each search result into account, and reference event field names.
    • The following example contains a static filter followed by a dynamic filter, which references the email_domain field in each event:

lookupfilter="LookupField1=\"local admin\" Lookupfield2=\"*@$email_domain$\""
  • Data filtering is supported to limit the number of comparisons being made.
    • For example, a email address comparisons can be limited to those where the domains match:
  • Text masking and deletion is supported via regex. This masks or deletes the event field data and the lookup data in memory, prior to any comparisons being made.
    • Data can be sanitized before comparison to treat certain character classes equally. The following example deletes the domain from an email address, deletes dot (.) and underscore (_), and masks all numbers.

delete="(@[^@]+$|\\.|_)" mask="[0-9]"


  • Prefix

    Syntax: prefix=<prefix_text>
    Description: Text to prefix all output field names with. Helpful for applying to every lookup field without aliasing each one.

  • Add Metrics

    Syntax: addmetrics=[True|False]
    Description: Add fuzzy match metrics to each result (score, matching characters, similarity score, consecutive match length).
    Default: False

  • Lookup Filter

    Syntax: lookupfilter="<lookup_field>=\"lookup_value\" <lookup_field>=\"$event_field$\""
    Description: Filter for data in the specified lookup to reduce the number of comparisons

  • Text Masking

    Syntax: mask="<regular expression>"
    Description: Mask pattern for both compared sets of values. Masks the regex matched text before comparing.

  • Text Deletion

    Syntax: delete="<regular expression>"
    Description: Deletion pattern for both compared sets of values. Removes the regex matched text before comparing.

  • Standard lookup operators (see Syntax)


Having trouble with the app? Feel free to email us and we’ll help you sort it out. You can also reach the author on the Splunk Community Slack.


We love hearing your feedback and ideas for our apps. Please email your suggestions!


Check out our blog article on the topic: Gettin' Fuzzy With It.

Release Notes

Version 1.0.7
Feb. 2, 2022

Updated Splunk SDK

Version 1.0.6
Nov. 5, 2021

Removed custom logging.conf file, resolving a Splunkbase compliance issue.

Version 1.0.5
Aug. 24, 2021
  • Added searchbnf.conf for search syntax highlighting and hints.
  • Bugfix for KeyError when the target lookup field did not exist.
Version 1.0.4
June 16, 2021

Resolved an issue where the app was not working under Windows.

Version 1.0.3
Oct. 13, 2020

Bug fix for addmetrics option

Version 1.0.2
Sept. 28, 2020
  • Added parameter for "add_metrics" to search command.
  • Updated the docs.
  • Implemented bug fixes and minor edits to the search command code.
Version 1.0.0
Sept. 14, 2020

Initial release.

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.