icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Fuzzylookup by Deductiv
SHA256 checksum (fuzzylookup-by-deductiv_103.tgz) 9249807a2e3b8f4f44c88bc50a8e1264b8de41a6dcfff2bd16a29c280816dc7f SHA256 checksum (fuzzylookup-by-deductiv_102.tgz) 155359de2a808b7f5383abd214e0d4b6175952de3976cf693a269bfe509e33e3 SHA256 checksum (fuzzylookup-by-deductiv_100.tgz) d69d772f2cbdd16524790a0f880e9d3bfa08f44cb7e7718ea500751d58b31c9f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Fuzzylookup by Deductiv

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
Inspired by customer use cases, this app allows you to apply fuzzy logic to lookups from your search result fields for near-matches. Applications include:

- Domain analysis (e.g. lookalike domains)
- Blacklist similarity
- Typo identification

For example, "splunk1" from your events could match "splunk2" in your lookup. Many options are available to customize this behavior and optimize the performance based on your data.

Fuzzylookup - Splunk App by Deductiv

This app allows you to apply fuzzy logic to lookups from your search result fields for near-matches. Use cases include:

  • Domain analysis (lookalike domains)
  • Blacklist similarity
  • Typo identification
Supported Splunk versions: 7.3.x, 8.0.x
Configuration Steps: N/A

Fuzzylookup search command (fuzzylookup)

Syntax:

search | fuzzylookup 
    [ prefix=<string> ]
    [ addmetrics=[True|False] ]
    [ lookupfilter=<kvpairs> ]
    [ mask=<regex> ]
    [ delete=<regex> ]
    <lookup-table-name> 
    ( <lookup-field> [AS <event-field>] ) 
    [ OUTPUT | OUTPUTNEW (<lookup-destfield> [AS <event-destfield>] ) ... ]

Description

Cross-reference your search fields against lookup data for non-exact matches, with the fields from the lookup entry/entries with the best score being appended to the event.

  • The Levenstein algorithm (from the jellyfish library) is applied to compute a match score.
    • If there are multiple entries with the same score, the tie is broken by how many characters are exact matches.
    • If multiple entries still have the same result, the lookup data is added to the event as multivalue fields.
  • Lookups can be filtered to limit comparisons with event fields and improve performance. Wildcards are supported.
    • Static filters apply for the entire lookup and limit the global dataset being used.
    • Dynamic filters take data from each search result into account, and reference event field names.
    • The following example contains a static filter followed by a dynamic filter, which references the email_domain field in each event:

lookupfilter="LookupField1=\"local admin\" Lookupfield2=\"*@$email_domain$\""
  • Data filtering is supported to limit the number of comparisons being made.
    • For example, a email address comparisons can be limited to those where the domains match:
  • Text masking and deletion is supported via regex. This masks or deletes the event field data and the lookup data in memory, prior to any comparisons being made.
    • Data can be sanitized before comparison to treat certain character classes equally. The following example deletes the domain from an email address, deletes dot (.) and underscore (_), and masks all numbers.

delete="(@[^@]+$|\\.|_)" mask="[0-9]"

Arguments

  • Prefix

    Syntax: prefix=<prefix_text>
    Description: Text to prefix all output field names with. Helpful for applying to every lookup field without aliasing each one.

  • Add Metrics

    Syntax: addmetrics=[True|False]
    Description: Add fuzzy match metrics to each result (score, matching characters, similarity score, consecutive match length).
    Default: False

  • Lookup Filter

    Syntax: lookupfilter="<lookup_field>=\"lookup_value\" <lookup_field>=\"$event_field$\""
    Description: Filter for data in the specified lookup to reduce the number of comparisons

  • Text Masking

    Syntax: mask="<regular expression>"
    Description: Mask pattern for both compared sets of values. Masks the regex matched text before comparing.

  • Text Deletion

    Syntax: delete="<regular expression>"
    Description: Deletion pattern for both compared sets of values. Removes the regex matched text before comparing.

  • Standard lookup operators (see Syntax)

Support

Having trouble with the app? Feel free to email us and we’ll help you sort it out. You can also reach the author on the Splunk Community Slack.

Features

We love hearing your feedback and ideas for our apps. Please email your suggestions!

Blogs

Check out our blog article on the topic: Gettin' Fuzzy With It.

Release Notes

Version 1.0.3
Oct. 13, 2020

Bug fix for addmetrics option

Version 1.0.2
Sept. 28, 2020

- Added parameter for "add_metrics" to search command.
- Updated the docs.
- Implemented bug fixes and minor edits to the search command code.

Version 1.0.0
Sept. 14, 2020

Initial release.

18
Installs
38
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.