https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557003#M158189 <P>Yes, there is a difference between <FONT face="courier new,courier">lookup</FONT> and <FONT face="courier new,courier">inputlookup</FONT>, but it's not that strange.</P><P>The <FONT face="courier new,courier">lookup</FONT> command searches a lookup table for the given field(s) and returns the corresponding fields for the found value.&nbsp; It's like getting someone's phone number from a telephone directory (remember those?) - find name, return number.</P><P>The <FONT face="courier new,courier">inputlookup</FONT> command returns the entire contents of the lookup file (unless the <FONT face="courier new,courier">where</FONT> option is used).&nbsp; It's the equivalent of saying "read to me the whole phone book".&nbsp; It has nothing to do with how the columns are named.</P><P>I hope this explains why your queries behave the way they do.</P> Thu, 24 Jun 2021 14:29:59 GMT richgalloway 2021-06-24T14:29:59Z https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/556989#M158183 <P>Hello,<BR />I have recently found there is a strange difference between <STRONG><FONT face="courier new,courier">lookup</FONT> </STRONG>and <STRONG><FONT face="courier new,courier">inputlookup</FONT> </STRONG>commands.</P><P>&nbsp;</P><LI-CODE lang="markup">|makeresults | eval uid="asdf" | lookup mydata uid |makeresults | eval uid="asdf" | join uid [| inputlookup mydata] </LI-CODE><P>&nbsp;</P><P>The "<EM>mydata</EM>" lookup is a kvstore collection, with the following columns<BR /><FONT face="courier new,courier">uid, name, address, fields</FONT><BR />I was expecting these two queries to have the same results, but no.<BR />It seems the column "fields" is an array and it's returning a lot of data when used with the <STRONG><FONT face="courier new,courier">inputlookup</FONT></STRONG> command , which is not the case with the first (lookup) query.</P><P>The lookup results are like this:<BR /><FONT face="courier new,courier">_key | uid&nbsp; | name | address | fields</FONT><BR /><FONT face="courier new,courier">...&nbsp; | asdf | john | yes&nbsp;&nbsp;&nbsp;&nbsp; | (empty)</FONT></P><P>The inputlookup results are like this:</P><P><FONT face="courier new,courier">_key | uid&nbsp; | name | address | fields.town | fields.country</FONT><BR /><FONT face="courier new,courier">...&nbsp; | asdf | john | yes&nbsp;&nbsp;&nbsp;&nbsp; | chicago&nbsp;&nbsp;&nbsp;&nbsp; | usa</FONT></P><P>I didn't find any documentation about this.<BR />Your input is welcomed.<BR />Thanks</P> Thu, 24 Jun 2021 15:08:22 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/556989#M158183 acadea 2021-06-24T15:08:22Z https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557003#M158189 <P>Yes, there is a difference between <FONT face="courier new,courier">lookup</FONT> and <FONT face="courier new,courier">inputlookup</FONT>, but it's not that strange.</P><P>The <FONT face="courier new,courier">lookup</FONT> command searches a lookup table for the given field(s) and returns the corresponding fields for the found value.&nbsp; It's like getting someone's phone number from a telephone directory (remember those?) - find name, return number.</P><P>The <FONT face="courier new,courier">inputlookup</FONT> command returns the entire contents of the lookup file (unless the <FONT face="courier new,courier">where</FONT> option is used).&nbsp; It's the equivalent of saying "read to me the whole phone book".&nbsp; It has nothing to do with how the columns are named.</P><P>I hope this explains why your queries behave the way they do.</P> Thu, 24 Jun 2021 14:29:59 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557003#M158189 richgalloway 2021-06-24T14:29:59Z https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557004#M158190 <P>that's the definition, it's obvious they are different commands</P><P>but the results of those two commands should have been the same.</P><P>I'm still digging, it seems the "fields" it's an array</P><P>that makes me think <FONT face="courier new,courier">lookup </FONT>cannot deal with displaying&nbsp; arrays while <FONT face="courier new,courier">inputlookup </FONT>can show them</P> Thu, 24 Jun 2021 14:38:00 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557004#M158190 acadea 2021-06-24T14:38:00Z https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557005#M158191 <P>I think the difference in output comes from the <FONT face="courier new,courier">join</FONT> command,&nbsp; By default, it uses an inner join when perhaps you're expecting an outer join.</P><P>Try&nbsp;</P><LI-CODE lang="markup">|makeresults | eval uid="asdf" | join type=outer uid [| inputlookup mydata]</LI-CODE><P>&nbsp;</P> Thu, 24 Jun 2021 14:42:49 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557005#M158191 richgalloway 2021-06-24T14:42:49Z https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557007#M158192 <P>thank you,<BR />I've edited/updated the initial question with an example<BR /><BR /></P> Thu, 24 Jun 2021 14:45:26 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-special-fields/m-p/557007#M158192 acadea 2021-06-24T14:45:26Z