https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343144#M164376 <P>Hello All,</P> <P>I wrote below query to get the URLs from inputlookup file that is not captured in syslog.But didnt give me any results.Can someone please help me to find out the issue with below query.</P> <OL> <LI>|inputlookup URLs.csv | fields Domains| rename Domains as domain | join domain[search index=* sourcetype=syslog eventtype=DNS host="device1" OR host="device2" | where domain=""] | table domain</LI> </OL> Tue, 12 Dec 2017 15:44:03 GMT Maverick904 2017-12-12T15:44:03Z https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343144#M164376 <P>Hello All,</P> <P>I wrote below query to get the URLs from inputlookup file that is not captured in syslog.But didnt give me any results.Can someone please help me to find out the issue with below query.</P> <OL> <LI>|inputlookup URLs.csv | fields Domains| rename Domains as domain | join domain[search index=* sourcetype=syslog eventtype=DNS host="device1" OR host="device2" | where domain=""] | table domain</LI> </OL> Tue, 12 Dec 2017 15:44:03 GMT https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343144#M164376 Maverick904 2017-12-12T15:44:03Z https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343145#M164377 <P>I suggest you move your search strings around such that your <CODE>inputlookup</CODE> is the one inside your <CODE>join</CODE> search:</P> <PRE><CODE>index=* sourcetype=syslog eventtype=DNS host="device1" OR host="device2" | where domain="" | join domain [| inputlookup URLs.csv | fields Domains | rename Domains as domain ] | table domain </CODE></PRE> <P>In your example (and in mine as I tried to keep it the same as yours), you are searching for an empty <CODE>domain</CODE> field, but are also joining on the same <CODE>domain</CODE> field. This seems like it would cause an issue with your <CODE>join</CODE>.</P> Tue, 12 Dec 2017 16:43:46 GMT https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343145#M164377 micahkemp 2017-12-12T16:43:46Z https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343146#M164378 <P>@micahkemp</P> <P>Thank you so much for your input.I ran the query u have provided.But no results found.<BR /> please Correct me if i am wrong.the query you have given,will take each domain from lookupfile and search it in syslog. And if the URL not found in syslog,then it will list in table?</P> Tue, 12 Dec 2017 17:31:22 GMT https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343146#M164378 Maverick904 2017-12-12T17:31:22Z https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343147#M164379 <P>I'm not sure that the search I pasted actually accomplishes anything of value, because I don't really understand your use case. Can you explain more about what it is you are looking for in terms of searching and how the CSV could be used?</P> <P>What I have above looks like it would end up performing basic lookup capabilities, which would be better accomplished by using the <CODE>lookup</CODE> command with the csv in question.</P> Tue, 12 Dec 2017 17:56:14 GMT https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343147#M164379 micahkemp 2017-12-12T17:56:14Z https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343148#M164380 <P>Actually i have few URLs in inputlookup file.i want each URL from lookup file to be searched in syslog.And whichever URLs are not found in syslog,should be showed in a table..</P> Wed, 13 Dec 2017 01:10:57 GMT https://community.splunk.com/t5/Splunk-Search/Values-from-inputlookup-file-not-captured-in-syslog/m-p/343148#M164380 Maverick904 2017-12-13T01:10:57Z