Splunk Enterprise Security

How to fix - Lookup file working properly when running "inputlookup" command but in search time not all fields are extracted.

Path Finder

I have a lookup file to add additional fields to events.
When running the "inputlookup" command I can see all the fields (4) just fine, but when running a search I see just 3 values from the 4 values in the table.
I've checked multiple times the spelling, removed and added the lookup but I still see just part of the lookup data.

Does anyone have an idea?
Thank you.

0 Karma

Builder

When you use a lookup, you're finding data in the table based on a field in your search data

Therefore, if you're doing a lookup on field1, you won't see it added in your output - because it was already there in your event data

0 Karma

to assist better, please provide some example and query for the in which you are using the lookup.

Ultra Champion

can you provide some examples?
Does your automatic lookup specify all 4 output fields?

0 Karma

Path Finder

I can share, but it'll not help you since part of the data is in Hebrew.
I'm trying to make a lookup that will add data in English in addition to the Hebrew text so i'll be able to query in more efficient way.

What do you mean by "all 4 output fields"? It's all in the same field - different values. It's all door names in the same field.

0 Karma