https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755564#M242947 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310918">@Anders333</a>&nbsp;</P><P>The lookup file is created with the fields _time and test, then you run stats values(test) as testing. This produces a new field testing in the search results.<BR />Splunk lookup files are schema‑flexible. If later commands introduce new fields, splunk adds them as new columns, even if they’re empty for existing rows.</P><P><BR />If you need only testing field then write your outputlookup command after your stats.<BR />Eg:</P><LI-CODE lang="markup">| makeresults | eval test = "this is a testing thing" | stats values(test) as testing | outputlookup append=false test.csv</LI-CODE><P><BR />Regards,<BR />Prewin<BR /><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span>If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Mon, 17 Nov 2025 04:44:32 GMT PrewinThomas 2025-11-17T04:44:32Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755510#M242943 <P>Hello, I came across some unexpected search behaviour today.</P><P>When using the outputlookup command followed by a stats command, as in the example, an additional empty column is added to the lookup file.</P><LI-CODE lang="markup">| makeresults | eval test = "this is a testing thing" | outputlookup append=false testindjiasbhd8a0.csv | stats values(test) as testing</LI-CODE><P>Expected lookup table:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%">_time</TD><TD width="50%"><P>test</P></TD></TR><TR><TD width="50%">2025-11-14 14:19:07</TD><TD width="50%">this is a testing thing</TD></TR></TBODY></TABLE><P>Actual lookup table:</P><TABLE border="1" width="100%"><TBODY><TR><TD width="33.333333333333336%" height="25px">_time</TD><TD width="33.333333333333336%" height="25px">test</TD><TD width="33.333333333333336%" height="25px">testing</TD></TR><TR><TD width="33.333333333333336%">2025-11-14 14:19:07</TD><TD width="33.333333333333336%">this is a testing thing</TD><TD width="33.333333333333336%" height="25px">&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>I don't know if this is a bug or expected behaviour., and I was unable to find anything that would explain it.</P><P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 14 Nov 2025 13:29:26 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755510#M242943 Anders333 2025-11-14T13:29:26Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755534#M242944 <P>My understanding is that as part of the search processing, the processor determines which fields are required at the end and those are then available to be output by the outputlookup command. It doesn't have to be a stats command or even a field with any values. For example, a similar result will be shown if you try this:</P><LI-CODE lang="markup">| makeresults | eval test = "this is a testing thing" | outputlookup append=false testindjiasbhd8a0.csv | table testing</LI-CODE><P>However, you can work around this by removing the field before it is created</P><LI-CODE lang="markup">| makeresults | eval test = "this is a testing thing" | fields - testing | outputlookup append=false testindjiasbhd8a0.csv | stats values(test) as testing</LI-CODE> Fri, 14 Nov 2025 23:18:59 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755534#M242944 ITWhisperer 2025-11-14T23:18:59Z https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755564#M242947 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/310918">@Anders333</a>&nbsp;</P><P>The lookup file is created with the fields _time and test, then you run stats values(test) as testing. This produces a new field testing in the search results.<BR />Splunk lookup files are schema‑flexible. If later commands introduce new fields, splunk adds them as new columns, even if they’re empty for existing rows.</P><P><BR />If you need only testing field then write your outputlookup command after your stats.<BR />Eg:</P><LI-CODE lang="markup">| makeresults | eval test = "this is a testing thing" | stats values(test) as testing | outputlookup append=false test.csv</LI-CODE><P><BR />Regards,<BR />Prewin<BR /><span class="lia-unicode-emoji" title=":glowing_star:">🌟</span>If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!</P> Mon, 17 Nov 2025 04:44:32 GMT https://community.splunk.com/t5/Splunk-Search/Outputlookup-followed-by-stats-command-causes-extra-column-to-be/m-p/755564#M242947 PrewinThomas 2025-11-17T04:44:32Z