https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272312#M81947 <P>Can you please check once the permission scope of the csv and whether this csv is accessible in the same socpe as the index to see if changing that helps.</P> Tue, 13 Dec 2016 16:00:44 GMT gokadroid 2016-12-13T16:00:44Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272311#M81946 <P>Hi All,<BR /> I have lookup file name called " Privilege_User_List.csv". Using Splunk index, I can able lookup the data and get results. The same query is not working with a different index.<BR /> Example:</P> <P><CODE>index=Index1 sourcetype=iis [| inputlookup Privilege_User_List.csv | fields cs_username ] cs_uri_stem="*.aspx"| stats values(cs_uri_stem) as cs_uri_stem by cs_username| rename cs_username as "User Name", cs_uri_stem as "URL"</CODE> --- it's working</P> <P><CODE>index=Index2 sourcetype=iis [| inputlookup Privilege_User_List.csv | fields cs_username ] cs_uri_stem="*.aspx"| stats values(cs_uri_stem) as cs_uri_stem by cs_username| rename cs_username as "User Name", cs_uri_stem as "URL"</CODE> --- it's not working.</P> <P>I checked the index2, whether data is exist or not. some data is exist. I have removed entries one by one and tried. No luck. we have restarted the Splunk service as well.</P> <P>Can you please help me on this kind of weird issue?</P> <P>Thanks,<BR /> Guru</P> Tue, 29 Sep 2020 12:04:20 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272311#M81946 guruwells 2020-09-29T12:04:20Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272312#M81947 <P>Can you please check once the permission scope of the csv and whether this csv is accessible in the same socpe as the index to see if changing that helps.</P> Tue, 13 Dec 2016 16:00:44 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272312#M81947 gokadroid 2016-12-13T16:00:44Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272313#M81948 <P><CODE>index=Index2 sourcetype=iis cs_uri_stem="*.aspx"</CODE> has cs_usernames that match <CODE>| inputlookup Privilege_User_List.csv | fields cs_username</CODE> ?</P> <P>I don't think this will fix the issue, but one thing I like to add to my subsearches is <CODE>|format</CODE> as it will show 'cs_username=x OR cs_username=y....'</P> <PRE><CODE> [| inputlookup Privilege_User_List.csv | fields cs_username|format ] </CODE></PRE> Tue, 29 Sep 2020 12:04:23 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272313#M81948 cmerriman 2020-09-29T12:04:23Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272314#M81949 <P>Hi guruwells,<BR /> verify if the cs_username field is present in the second index and how it'r written (upper/lower case).<BR /> after verify your search <CODE>index=Index2 sourcetype=iis [| inputlookup Privilege_User_List.csv | fields cs_username ]</CODE> if there are results.<BR /> Bye.<BR /> Giuseppe</P> Tue, 29 Sep 2020 12:04:25 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272314#M81949 gcusello 2020-09-29T12:04:25Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272315#M81950 <P>Even second index also same name and same case. this data is coming from iis logs. I didn't find any difference.</P> Tue, 13 Dec 2016 16:05:47 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272315#M81950 guruwells 2016-12-13T16:05:47Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272316#M81951 <P>Even second index also same name and same case. this data is coming from iis logs. I didn't find any difference.</P> Tue, 13 Dec 2016 16:06:09 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272316#M81951 guruwells 2016-12-13T16:06:09Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272317#M81952 <P>Hi,<BR /> I have checked the permission of the particular lookup file. For all apps "everyone" can read this file. The same was applied index one as well. there it's showing results.<BR /> Thanks<BR /> Guru</P> Tue, 13 Dec 2016 16:07:43 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272317#M81952 guruwells 2016-12-13T16:07:43Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272318#M81953 <P>Added format, it's not worked. When I execute<BR /> "|inputlookup Privilege_User_List.csv | fields cs_username" query, I can able to see csv list.</P> <P>Thanks,<BR /> Guru</P> Tue, 29 Sep 2020 12:06:50 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272318#M81953 guruwells 2020-09-29T12:06:50Z https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272319#M81954 <P>Hi,<BR /> I thoroughly checked the each and every line of the CSV and results. There is one mismatch with new Index. I have modified the Lookup file accordingly. Now I got the result as expected.</P> <P>Thanks for the suggestions.</P> <P>Thanks,<BR /> Guru Prasad </P> Wed, 14 Dec 2016 10:00:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-does-my-lookup-search-fetch-results-when-searching-one-index/m-p/272319#M81954 guruwells 2016-12-14T10:00:53Z