Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Where did I go wrong with my inputlookup search?

mafruma
Explorer
‎01-13-2016 01:57 PM

Hello all.

I have not been able to populate a table via a search that uses inputlookup. My table is only populating with the data from the events. Where did I go wrong?

My search:

sourcetype=integration.wmb.event SAPTransactionID 
| append  [ |inputlookup idocsDec.csv | fields + CREDAT,CRETIM,hour,minute,STATUS,TID | rename TID as SAPTransactionID]
| transaction SAPTransactionID
| table SAPTransactionID CREDAT CRETIM hour minute STATUS

The only data that gets populated in the table is the SAPTransactionID. All of the other fields that I want to pull data from the csv are empty.

0 Karma
Reply

somesoni2
Revered Legend
‎01-13-2016 02:32 PM

The transaction command requires field _time to be present (to calculate duration) which seems to be missing from your Inputlookup data. If available, create a field _time in the subsearch with inputlookup and try again.

If you're only looking to group events based on SAPTransactionId, consider using stats command which is more efficient.

0 Karma
Reply
Get Updates on the Splunk Community!

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

At .conf25, Splunk proudly recognized Fast Lane as the 2025 Authorized Learning Partner of the Year. This ...

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...