icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Apache 2.0

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Fuzzylookup by Deductiv
SHA256 checksum (fuzzylookup-by-deductiv_105.tgz) bf906fb2e00751c2cbbb7974b26c24d2d4a870cf7676c39f2c021674388bfe3e SHA256 checksum (fuzzylookup-by-deductiv_104.tgz) 221e557fb43046f09b6727cbe1a9d61600c5b5053e914c967f101a7647bf2b3f SHA256 checksum (fuzzylookup-by-deductiv_103.tgz) 9249807a2e3b8f4f44c88bc50a8e1264b8de41a6dcfff2bd16a29c280816dc7f SHA256 checksum (fuzzylookup-by-deductiv_102.tgz) 155359de2a808b7f5383abd214e0d4b6175952de3976cf693a269bfe509e33e3 SHA256 checksum (fuzzylookup-by-deductiv_100.tgz) d69d772f2cbdd16524790a0f880e9d3bfa08f44cb7e7718ea500751d58b31c9f
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Fuzzylookup by Deductiv

Splunk Cloud
Overview
Details
Inspired by customer use cases, this app allows you to apply fuzzy logic to lookups from your search result fields for near-matches. Applications include:

- Domain analysis (e.g. lookalike domains)
- Blacklist similarity
- Typo identification

For example, "splunk1" from your events could match "splunk2" in your lookup. Many options are available to customize this behavior and optimize the performance based on your data.

If you find this free app useful, please be sure to give it a rating.

Fuzzylookup - Splunk App by Deductiv

This app allows you to apply fuzzy logic to lookups from your search result fields for near-matches. Use cases include:

  • Domain analysis (lookalike domains)
  • Blacklist similarity
  • Typo identification
Supported Splunk versions: 7.3.x, 8.0.x
Configuration Steps: N/A

Fuzzylookup search command (fuzzylookup)

Syntax:

search | fuzzylookup 
    [ prefix=<string> ]
    [ addmetrics=[True|False] ]
    [ lookupfilter=<kvpairs> ]
    [ mask=<regex> ]
    [ delete=<regex> ]
    <lookup-table-name> 
    ( <lookup-field> [AS <event-field>] ) 
    [ OUTPUT | OUTPUTNEW (<lookup-destfield> [AS <event-destfield>] ) ... ]

Description

Cross-reference your search fields against lookup data for non-exact matches, with the fields from the lookup entry/entries with the best score being appended to the event.

  • The Levenstein algorithm (from the jellyfish library) is applied to compute a match score.
    • If there are multiple entries with the same score, the tie is broken by how many characters are exact matches.
    • If multiple entries still have the same result, the lookup data is added to the event as multivalue fields.
  • Lookups can be filtered to limit comparisons with event fields and improve performance. Wildcards are supported.
    • Static filters apply for the entire lookup and limit the global dataset being used.
    • Dynamic filters take data from each search result into account, and reference event field names.
    • The following example contains a static filter followed by a dynamic filter, which references the email_domain field in each event: 

lookupfilter="LookupField1=\"local admin\" Lookupfield2=\"*@$email_domain$\""
  • Data filtering is supported to limit the number of comparisons being made.
    • For example, a email address comparisons can be limited to those where the domains match:
  • Text masking and deletion is supported via regex. This masks or deletes the event field data and the lookup data in memory, prior to any comparisons being made.
    • Data can be sanitized before comparison to treat certain character classes equally. The following example deletes the domain from an email address, deletes dot (.) and underscore (_), and masks all numbers. 

delete="(@[^@]+$|\\.|_)" mask="[0-9]"

Arguments

  • Prefix

    Syntax: prefix=<prefix_text>
    Description: Text to prefix all output field names with. Helpful for applying to every lookup field without aliasing each one.

  • Add Metrics

    Syntax: addmetrics=[True|False]
    Description: Add fuzzy match metrics to each result (score, matching characters, similarity score, consecutive match length).
    Default: False

  • Lookup Filter

    Syntax: lookupfilter="<lookup_field>=\"lookup_value\" <lookup_field>=\"$event_field$\""
    Description: Filter for data in the specified lookup to reduce the number of comparisons

  • Text Masking

    Syntax: mask="<regular expression>"
    Description: Mask pattern for both compared sets of values. Masks the regex matched text before comparing.

  • Text Deletion

    Syntax: delete="<regular expression>"
    Description: Deletion pattern for both compared sets of values. Removes the regex matched text before comparing.

  • Standard lookup operators (see Syntax)

Support

Having trouble with the app? Feel free to email us and we’ll help you sort it out. You can also reach the author on the Splunk Community Slack.

Features

We love hearing your feedback and ideas for our apps. Please email your suggestions!

Blogs

Check out our blog article on the topic: Gettin' Fuzzy With It.

Release Notes

Version 1.0.5
Aug. 24, 2021
  • Added searchbnf.conf for search syntax highlighting and hints.
  • Bugfix for KeyError when the target lookup field did not exist.
Version 1.0.4
June 16, 2021

Resolved an issue where the app was not working under Windows.
Version 1.0.3
Oct. 13, 2020

Bug fix for addmetrics option
Version 1.0.2
Sept. 28, 2020
  • Added parameter for "add_metrics" to search command.
  • Updated the docs.
  • Implemented bug fixes and minor edits to the search command code.
Version 1.0.0
Sept. 14, 2020

Initial release.
40
Installs
197
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Deductiv Inc
Support
Developer Supported
Contact Developer Questions on Splunk Answers Flag as inappropriate
Compatibility
This version of the app (1.0.4) is not available for Splunk Cloud. However, version 1.0.5 of this app is available for Splunk Cloud.
This version of the app (1.0.3) is not available for Splunk Cloud. However, version 1.0.5 of this app is available for Splunk Cloud.
This version of the app (1.0.2) is not available for Splunk Cloud. However, version 1.0.5 of this app is available for Splunk Cloud.
This version of the app (1.0.0) is not available for Splunk Cloud. However, version 1.0.5 of this app is available for Splunk Cloud.
Products: Splunk Enterprise, Splunk Cloud Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent Splunk Versions: 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent Splunk Versions: 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent Splunk Versions: 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent Splunk Versions: 7.3, 8.0, 8.1, 8.2 Platform: Platform Independent
Licensing
Apache 2.0
Category & Contents
Categories: IT Operations, Security, Fraud & Compliance
App Type: App
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2021 Splunk Inc. All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.