https://community.splunk.com/t5/Splunk-Search/lookup-data-not-population-in-final-part-of-query/m-p/667752#M229076 <P>The query field (like the search field) are special cases in subqueries as they are not passed to the outer search, only their values are. This is why the final query field is empty.</P> Tue, 07 Nov 2023 23:11:04 GMT ITWhisperer 2023-11-07T23:11:04Z https://community.splunk.com/t5/Splunk-Search/lookup-data-not-population-in-final-part-of-query/m-p/667751#M229075 <P>Hi all</P><P>i have the below query where i have a lookup&nbsp; file with Error messages im trying to match the error messages in the lookup and then matching those in the rawdata and showing in table. However my final result query field is coming as empty rest all are populating. Need help in the query i was trying to add before the table command | lookup&nbsp;ErrorMessage.csv&nbsp; query OUTPUT query but not working need help&nbsp;</P><P>index=abc host="LINUX123" " source="/new/dir/apps/servers/service*.log"&nbsp; "Error data*"&nbsp; [ | inputlookup ErrorMessage.csv | fields + ErrorMessage | rename ErrorMessage as query] | table _time,host,query, _raw</P><P>&nbsp;</P><P>lookup file content</P><P>ErrorMessage.csv</P><P>File Not Found</P><P>Error data in client transacton</P><P>&nbsp;</P><P>thanks in advance&nbsp;</P><P>&nbsp;</P> Tue, 07 Nov 2023 22:33:23 GMT https://community.splunk.com/t5/Splunk-Search/lookup-data-not-population-in-final-part-of-query/m-p/667751#M229075 vk1544 2023-11-07T22:33:23Z https://community.splunk.com/t5/Splunk-Search/lookup-data-not-population-in-final-part-of-query/m-p/667752#M229076 <P>The query field (like the search field) are special cases in subqueries as they are not passed to the outer search, only their values are. This is why the final query field is empty.</P> Tue, 07 Nov 2023 23:11:04 GMT https://community.splunk.com/t5/Splunk-Search/lookup-data-not-population-in-final-part-of-query/m-p/667752#M229076 ITWhisperer 2023-11-07T23:11:04Z