https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437074#M124498 <P>Splunk ver : 6.2.7<BR /> OS : CentOS 7</P> <P>I'm trying <CODE>outputlookup</CODE> some lookup files from one lookup file.<BR /> Below is the source lookup file.<BR /> *In fact there are more fields and values.</P> <PRE><CODE>master.csv host, flag AAA, 1 BBB, 1 CCC, 1 </CODE></PRE> <P>The following is a search statement used to split and output the lookup file.</P> <PRE><CODE>| inputlookup master.csv | search host="AAA" | outputlookup AAA.csv | inputlookup master.csv | search host="BBB" | outputlookup BBB.csv | inputlookup master.csv | search host="CCC" | outputlookup CCC.csv </CODE></PRE> <P>However when I check lookup files that made by <CODE>outputlookup</CODE>, the value of the field <CODE>flag</CODE> become null!</P> <P>Does anyone face such an event?<BR /> Also, if you know the solution etc, I would be pleased if you could tell me.</P> Fri, 13 Jul 2018 06:04:42 GMT yutaka1005 2018-07-13T06:04:42Z https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437074#M124498 <P>Splunk ver : 6.2.7<BR /> OS : CentOS 7</P> <P>I'm trying <CODE>outputlookup</CODE> some lookup files from one lookup file.<BR /> Below is the source lookup file.<BR /> *In fact there are more fields and values.</P> <PRE><CODE>master.csv host, flag AAA, 1 BBB, 1 CCC, 1 </CODE></PRE> <P>The following is a search statement used to split and output the lookup file.</P> <PRE><CODE>| inputlookup master.csv | search host="AAA" | outputlookup AAA.csv | inputlookup master.csv | search host="BBB" | outputlookup BBB.csv | inputlookup master.csv | search host="CCC" | outputlookup CCC.csv </CODE></PRE> <P>However when I check lookup files that made by <CODE>outputlookup</CODE>, the value of the field <CODE>flag</CODE> become null!</P> <P>Does anyone face such an event?<BR /> Also, if you know the solution etc, I would be pleased if you could tell me.</P> Fri, 13 Jul 2018 06:04:42 GMT https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437074#M124498 yutaka1005 2018-07-13T06:04:42Z https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437075#M124499 <P>フィールド名が間違っているということはないですか？<BR /> 例えばflagの先頭にスペースが入っているとか</P> Fri, 13 Jul 2018 06:14:48 GMT https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437075#M124499 HiroshiSatoh 2018-07-13T06:14:48Z https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437076#M124500 <P>flagフィールドに関しては、元lookupファイルからそのままoutputしているので、特にフィールド名による影響は関連が無いかと思います。</P> Fri, 13 Jul 2018 06:16:55 GMT https://community.splunk.com/t5/Splunk-Search/When-use-outputlookup-the-result-is-output-in-incomplete-state/m-p/437076#M124500 yutaka1005 2018-07-13T06:16:55Z