https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305629#M91732 <P>This is a bug/feature of the search optimizer, in this particular case it's doing projection elimination - removing evals it thinks are unnecessary. To confirm, check the job inspector for optimizedSearch that only contains two inputlookups, but no eval.</P> <P>The field will magically reappear if it's used later in the search, alternatively add <CODE>| table *</CODE> if you just want to see it now... or <CODE>| noop search_optimization=false</CODE>, or <CODE>| eval foo = flag</CODE> will also make it appear.<BR /> This is still happening in 7.0.2, make sure to file a support case to check if this is intentional behaviour or a bug.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Built-inoptimization#Projection_elimination">http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Built-inoptimization#Projection_elimination</A></P> Sun, 25 Feb 2018 00:56:03 GMT martin_mueller 2018-02-25T00:56:03Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305623#M91726 <P>I saw a <A href="https://answers.splunk.com/answers/583462/inputlookup-append-search-vs-search-append-inputlo.html?utm_source=typeahead&amp;utm_medium=newquestion&amp;utm_campaign=no_votes_sort_relev">previous question</A> dealing with this, but that question never got an accepted answer, and I think it was sufficiently complex that this distillation may highlight the issue more directly. I observed unexpected behavior when testing approaches using <CODE>| inputlookup append=true ...</CODE> vs <CODE>| append [| inputlookup ... ]</CODE>. Here are a series of screenshots documenting what I found.</P> <P>I created two small test csv files: <CODE>first_file.csv</CODE> and <CODE>second_file.csv</CODE>. They each contain three fields: <CODE>_time</CODE>, <CODE>row</CODE>, and <CODE>file_source</CODE>. I tested this code first:</P> <PRE><CODE>| inputlookup first_file.csv | eval flag="this is from the first file" | append [| inputlookup second_file.csv ] </CODE></PRE> <P>This displayed what I expected:<BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4431i5F0EEAC3337894EB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Then I tested this code snippet:</P> <PRE><CODE>| inputlookup first_file.csv | eval flag="this is from the first file" | inputlookup append=true second_file.csv </CODE></PRE> <P>Somehow, this causes the <CODE>flag</CODE> field to disappear, as you can see here:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4432iA31CC20E5CD6C7C7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Is this expected? I couldn't find anything in the docs to explain the difference in behavior. If it is expected, is there a flag or attribute I can set when using the <CODE>| inputlookup append=true</CODE> approach that would preserve fields?</P> Thu, 22 Feb 2018 22:10:22 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305623#M91726 elliotproebstel 2018-02-22T22:10:22Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305624#M91727 <P>What version of Splunk are you testing it in? I don't see this behavior (flag field getting removed) in 6.2 and 6.3 instance that I can check right now. Also, what do you get when you run this</P> <PRE><CODE>| gentimes start=-1 | eval flag="this is from the first file" | inputlookup append=true second_file.csv </CODE></PRE> Thu, 22 Feb 2018 22:27:03 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305624#M91727 somesoni2 2018-02-22T22:27:03Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305625#M91728 <P>I'm running Splunk 6.6.2.<BR /> Here's the output of that command:</P> <PRE><CODE>endhuman starttime starthuman endtime flag Wed Feb 21 23:59:59 2018 1519189200 Wed Feb 21 00:00:00 2018 1519275599 this is from the first file </CODE></PRE> Thu, 22 Feb 2018 22:34:06 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305625#M91728 elliotproebstel 2018-02-22T22:34:06Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305626#M91729 <P>Nothing is getting added from yoru second_file.csv lookup?</P> Thu, 22 Feb 2018 22:39:42 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305626#M91729 somesoni2 2018-02-22T22:39:42Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305627#M91730 <P>Sorry, I was in a rush out the door last night and accidentally ran your suggested tests with outputlookup instead of inputlookup, hence the nonsense. Fully caffeinated and not in a rush, here's the real results. </P> <P>CODE: </P> <PRE><CODE>| gentimes start=-1 | eval flag="this is from the first file" | inputlookup append=true second_file.csv </CODE></PRE> <P>OUTPUT:</P> <PRE><CODE>endtime endhuman starthuman starttime _time file_source row 1519361999 Thu Feb 22 23:59:59 2018 Thu Feb 22 00:00:00 2018 1519275600 2018-02-23 11:45:44 second 1 2018-02-23 11:45:44 second 2 2018-02-23 11:45:44 second 3 </CODE></PRE> <P>Easier to see/parse:<BR /> <A href="https://imgur.com/82CmsKh">https://imgur.com/82CmsKh</A></P> Fri, 23 Feb 2018 16:51:04 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305627#M91730 elliotproebstel 2018-02-23T16:51:04Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305628#M91731 <P>Also, for what it's worth, our ops team upgraded everything from 6.6.2 to 6.6.5 last night, and I'm still seeing the same behavior.</P> Fri, 23 Feb 2018 17:36:48 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305628#M91731 elliotproebstel 2018-02-23T17:36:48Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305629#M91732 <P>This is a bug/feature of the search optimizer, in this particular case it's doing projection elimination - removing evals it thinks are unnecessary. To confirm, check the job inspector for optimizedSearch that only contains two inputlookups, but no eval.</P> <P>The field will magically reappear if it's used later in the search, alternatively add <CODE>| table *</CODE> if you just want to see it now... or <CODE>| noop search_optimization=false</CODE>, or <CODE>| eval foo = flag</CODE> will also make it appear.<BR /> This is still happening in 7.0.2, make sure to file a support case to check if this is intentional behaviour or a bug.</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Built-inoptimization#Projection_elimination">http://docs.splunk.com/Documentation/Splunk/7.0.2/Search/Built-inoptimization#Projection_elimination</A></P> Sun, 25 Feb 2018 00:56:03 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305629#M91732 martin_mueller 2018-02-25T00:56:03Z https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305630#M91733 <P>You're right! Thank you. It was causing me some confusion while trying to troubleshoot a more complex use case, but I can understand why it would be a "feature" here.</P> Mon, 26 Feb 2018 17:18:09 GMT https://community.splunk.com/t5/Splunk-Search/Inputlookup-append-true-vs-append-inputlookup-behavior/m-p/305630#M91733 elliotproebstel 2018-02-26T17:18:09Z