Add field matching rules to your lookup configuration
These attributes provide field matching rules for lookups. They can be applied to all four lookup types. Add them to the transforms.conf stanza for your lookup. 
| Attribute | Type | Description | Default | 
|---|---|---|---|
| max_matches | Integer | The maximum number of possible matches for each value input to the lookup table from your events. Range is 1-1000. If the time_fieldattribute is is not specified, Splunk software uses the first<integer>entries, in file order. If thetime_fieldattribute is specified (because it is a time-bounded lookup), Splunk software uses the first<integer>entries, in descending time order. In other words, up to<max_matches>are allowed to match. When this number is surpassed, Splunk software uses the matches closest to the lookup value. | 100 if the time_fieldattribute is not specified. 1 if thetime_fieldattribute is specified. | 
| min_matches | Integer | The minimum number of possible matches for each value input to the lookup table from your events. You can use default_matchto help with situations where there are fewer thanmin_matchesfor any given input. | 0 for both non-time-bounded lookups and time-bounded lookups, which means nothing is output to your event if no match is found. | 
| default_match | String | When min_matchesis greater than 0 and and Splunk software finds fewer thanmin_matchesfor any given input, it provides thisdefault_matchvalue one or more times until themin_matchesthreshold is reached.Splunk software treats NULL values as matching values and does not replace them with the  | Empty string | 
| case_sensitive_match | Boolean | Specify trueto consider case when matching input lookup table fields. Specifyfalseto ignore case when matching lookup fields.Does not apply to KV Store lookups. Reverse lookups also requirereverse_lookup_honor_case_sensitive_match=true. | true | 
| reverse_lookup_honor_case_sensitive_match | Boolean | For reverse lookups, the definition of the "input field" and the "output field" are flipped. Because the Splunk software applies case_sensitive_matchto the input field, this means that reverse lookups need an additional case-sensitive match setting for the output field. Whenreverse_lookup_honor_case_sensitive_match=trueand whencase_sensitive_match=true, Splunk software performs case-sensitive matching for all fields in reverse lookups. Whenreverse_lookup_honor_case_sensitive_match=false, Splunk software performs case-insensitive matching for all fields in reverse lookups, even whencase_sensitive_match=true.This setting does not apply to KV Store lookups. This setting may default tofalsein an upcoming release. | true | 
| match_type | String | Allows non-exact matching of one or more fields arranged in a list delimited by a comma followed by a space. Format is match_type = <match_type>(<field_name1>, <field_name2>,...<field_nameN>). Setmatch_typetoWILDCARDto apply wildcard matching, or set it toCIDRto apply CIDR matching (specifically for IP address values). | EXACT(does not need to be specified) | 
Example of using match_type for IPv6 CIDR match
In this example, you can use the the match_type attribute in addition to the lookup command to determine whether a specific IPv6 address is in a CIDR subnet. You can follow along with the example by performing these steps. 
- Create a lookup table in the $SPLUNK_HOME/etc/apps/search/lookups folder called ipv6test.csv that contains the following text. ip,expected 2001:0db8:ffff:ffff:ffff:ffff:ffff:ff00/120,trueNote that the ipfield in the lookup table contains the subnet value, not the IP address. This is because thematch_typeattribute that will be added to the transforms.conf file in the next step tells thelookupcommand that the value in that field is to be treated as a CIDR subnet for matching purposes.
- Add the following entry to your local transforms.conf file, which is typically located in the $SPLUNK_HOME/etc/system/local folder. See How to edit a configuration file. [ipv6test] filename = ipv6test.csv match_type=CIDR(ip)
- Run the following search to match the IP address to the subnet. | makeresults | eval ip="2001:0db8:ffff:ffff:ffff:ffff:ffff:ff99" | lookup ipv6test ip OUTPUT expectedThe IP address is in the subnet, so search displays truein theexpectedfield. The search results look something like this.time expected ip 2020-11-19 16:43:31 true 2001:0db8:ffff:ffff:ffff:ffff:ffff:ff99 
See also
Functions