https://community.splunk.com/t5/Splunk-Search/inputlookup-and-append-search-problem-Expect-output-all-rows-but/m-p/323125#M96410 <P>Please help, want to do a search based on a table of sever-list and find last update time from a server log. I try to create a table first with 4 server listed, I had one server 2.2.2.2. had result in server log. so I expect the result is 4 rows with 2.2.2.2 had totalcount and date and other is empty/null but showing 4 rows. But the result is the inputlookup and append/appendcols will show 1 row only.</P> <P>Any method to show 4 rows instead. Can any one had experience on it. Thanks</P> <P>Using this Searchstring sample</P> <PRE><CODE>| inputlookup append=true hosts_1.csv | table yumclientip,team,is_expected,totalcount,yumdate | join yumclientip append [ search xxx yyy zzzz | setfields count="0" yumdate="NA" | stats count as totalcount by yumclientip, yumdate | fillnull value="(empty)" "totalcount" "yumdate" | dedup yumclientip sortby +_time ] </CODE></PRE> <P>csv file hosts)1.csv</P> <PRE><CODE>################## yumclientip,team,is_expected 1.1.1.1,teamA,true 2.2.2.2,teamB,true 3.3.3.3,teamC,true 4.4.4.4,teamD,true </CODE></PRE> <P>Result get (only 2.2.2.2 had data)</P> <PRE><CODE>######################## yumclientip,team,is_expected,totalcount,yumdate 2.2.2.2,teamA,true,18,2017-07-23 </CODE></PRE> <P>But expect result want 4 rows and not 1 rows only</P> <PRE><CODE>#################### yumclientip,team,is_expected,totalcount,yumdate 1.1.1.1,teamA,true,empty,empty 2.2.2.2,teamB,true,18,2017-07-23 3.3.3.3,teamC,true,empty,empty 4.4.4.4.teamD,true,empty,empty </CODE></PRE> Sun, 23 Jul 2017 05:52:41 GMT netinstall 2017-07-23T05:52:41Z https://community.splunk.com/t5/Splunk-Search/inputlookup-and-append-search-problem-Expect-output-all-rows-but/m-p/323125#M96410 <P>Please help, want to do a search based on a table of sever-list and find last update time from a server log. I try to create a table first with 4 server listed, I had one server 2.2.2.2. had result in server log. so I expect the result is 4 rows with 2.2.2.2 had totalcount and date and other is empty/null but showing 4 rows. But the result is the inputlookup and append/appendcols will show 1 row only.</P> <P>Any method to show 4 rows instead. Can any one had experience on it. Thanks</P> <P>Using this Searchstring sample</P> <PRE><CODE>| inputlookup append=true hosts_1.csv | table yumclientip,team,is_expected,totalcount,yumdate | join yumclientip append [ search xxx yyy zzzz | setfields count="0" yumdate="NA" | stats count as totalcount by yumclientip, yumdate | fillnull value="(empty)" "totalcount" "yumdate" | dedup yumclientip sortby +_time ] </CODE></PRE> <P>csv file hosts)1.csv</P> <PRE><CODE>################## yumclientip,team,is_expected 1.1.1.1,teamA,true 2.2.2.2,teamB,true 3.3.3.3,teamC,true 4.4.4.4,teamD,true </CODE></PRE> <P>Result get (only 2.2.2.2 had data)</P> <PRE><CODE>######################## yumclientip,team,is_expected,totalcount,yumdate 2.2.2.2,teamA,true,18,2017-07-23 </CODE></PRE> <P>But expect result want 4 rows and not 1 rows only</P> <PRE><CODE>#################### yumclientip,team,is_expected,totalcount,yumdate 1.1.1.1,teamA,true,empty,empty 2.2.2.2,teamB,true,18,2017-07-23 3.3.3.3,teamC,true,empty,empty 4.4.4.4.teamD,true,empty,empty </CODE></PRE> Sun, 23 Jul 2017 05:52:41 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-and-append-search-problem-Expect-output-all-rows-but/m-p/323125#M96410 netinstall 2017-07-23T05:52:41Z https://community.splunk.com/t5/Splunk-Search/inputlookup-and-append-search-problem-Expect-output-all-rows-but/m-p/323126#M96411 <P><CODE>append</CODE> is not a valid keyword for <CODE>join</CODE>. What this line </P> <PRE><CODE>| join yumclientip append [ search ...] </CODE></PRE> <P>...will do is take the results from the first part of the search, and then try to join that set of records to the set of records returned by the second search, joining them based on the values in the fields named <CODE>yumclientip</CODE> and <CODE>append</CODE> on each side of the search.</P> <P>Since the only fields on the right side of the search are <CODE>totalcount</CODE>, <CODE>yumclientip</CODE> and <CODE>yumdate</CODE>, there will never be a match found.</P> <P>Delete the word "append" from the <CODE>join</CODE> clause and see what happens. </P> <P>I'm still not sure that you have the correct code for what you want, but at least you will get some results.</P> Sun, 23 Jul 2017 21:36:04 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-and-append-search-problem-Expect-output-all-rows-but/m-p/323126#M96411 DalJeanis 2017-07-23T21:36:04Z