https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509521#M142401 <P>try <STRONG>where</STRONG></P> Thu, 16 Jul 2020 13:36:51 GMT to4kawa 2020-07-16T13:36:51Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509405#M142361 <P>I have a lookup file which contains a list of jobnames, description and their SLAs.</P><P>Example:&nbsp;</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">jobName</TD><TD width="33.333333333333336%">Description</TD><TD width="33.333333333333336%">SLA</TD></TR><TR><TD width="33.333333333333336%">job1</TD><TD width="33.333333333333336%">Example1</TD><TD width="33.333333333333336%">08.00</TD></TR><TR><TD width="33.333333333333336%">job2</TD><TD width="33.333333333333336%">Example2</TD><TD width="33.333333333333336%">10.00</TD></TR><TR><TD width="33.333333333333336%">job5</TD><TD width="33.333333333333336%">Example3</TD><TD width="33.333333333333336%">05.00</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>My index data (index=autosys) contains events for hundreds of jobs, their status and updated time.&nbsp;</P><P>An event example would be: job1, FAILED, 07.00</P><P>I'm trying to write a query to output the below. However, there are cases where there won't be any events for a specific job. In that case, I need to display, "NOT RUNNING"</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%">jobName</TD><TD width="33.333333333333336%">Description</TD><TD width="16.666666666666668%">SLA</TD><TD width="8.333333333333334%">Status</TD><TD width="8.333333333333334%">Updatetime</TD></TR><TR><TD width="33.333333333333336%">job1</TD><TD width="33.333333333333336%">Example1</TD><TD width="16.666666666666668%">08.00</TD><TD width="8.333333333333334%">FAILED</TD><TD width="8.333333333333334%">07.00</TD></TR><TR><TD width="33.333333333333336%">job2</TD><TD width="33.333333333333336%">Example2</TD><TD width="16.666666666666668%">10.00</TD><TD width="8.333333333333334%">SUCCESS</TD><TD width="8.333333333333334%">09.00</TD></TR><TR><TD width="33.333333333333336%">job5</TD><TD width="33.333333333333336%">Example3</TD><TD width="16.666666666666668%">05.00</TD><TD width="8.333333333333334%">NOT RUNNING</TD><TD width="8.333333333333334%">NULL</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I'm using the following query, but it is not displaying the row that does not have any event/data in the index</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup append=t lookup_job.csv | table jobName, SLA, Description | join jobName [search index=autosys | inputlookup lookup_job.csv | fields jobName ]] | table jobName, Description, SLA, Status, Updatedtime</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 15 Jul 2020 21:09:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509405#M142361 nomad1981 2020-07-15T21:09:43Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509406#M142362 <P>index=autosys [|inputlookup lookup_job.csv | table jobName| format]<BR />| lookup lookup_job.csv&nbsp; jobName OUTPUT&nbsp;Description, SLA<BR />| table jobName, Description, SLA, Status, Updatedtime</P> Wed, 15 Jul 2020 21:26:39 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509406#M142362 to4kawa 2020-07-15T21:26:39Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509416#M142366 <P>Unfortunately, the query does not return the item from the lookup if there are no events found.&nbsp;</P><P>Also, I need the results to the displayed in the same order of jobName as per what is in the lookup file</P> Wed, 15 Jul 2020 22:42:05 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509416#M142366 nomad1981 2020-07-15T22:42:05Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509495#M142388 <LI-CODE lang="markup">index=autosys | table jobName Status Updatedtime | inputlookup append=t lookup_job.csv | table jobName, Description, SLA, Status, Updatedtime | fillnull status value="NOT RUNNING" | stats values(*) as * by jobName</LI-CODE><P>Like this?</P> Thu, 16 Jul 2020 10:44:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509495#M142388 to4kawa 2020-07-16T10:44:51Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509506#M142394 <P>That query returns all jobs in found in the search index autosys.&nbsp;</P><P>I need to return the data that's in the lookup table as is and add 2 additional columns (Status and Updatedtime) which is found in the index data. If the search does not find the Status and Updatedtime for a specfic job, that job should still appear in the table with the 2 fields showing as "NOT RUNNING".&nbsp;</P><P>&nbsp;</P> Thu, 16 Jul 2020 12:22:38 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509506#M142394 nomad1981 2020-07-16T12:22:38Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509521#M142401 <P>try <STRONG>where</STRONG></P> Thu, 16 Jul 2020 13:36:51 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509521#M142401 to4kawa 2020-07-16T13:36:51Z https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509543#M142411 <P>I was able to sort it out using join type=left</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup append=t lookup_job.csv | table jobName, SLA, Description | join type=left jobName [search index=autosys | inputlookup lookup_job.csv | fields jobName ]] | table jobName, Description, SLA, Status, Updatedtime</LI-CODE><P>&nbsp;</P> Thu, 16 Jul 2020 15:36:16 GMT https://community.splunk.com/t5/Splunk-Search/Search-events-based-on-lookup-field-and-display-lookup-row-even/m-p/509543#M142411 nomad1981 2020-07-16T15:36:16Z