Splunk Enterprise
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Limit on LOOKUP when use OUTPUT

amzar96
Explorer
‎09-21-2021 12:22 AM

Hi, does anyone here faces the same issue?

Below is my sample query for reference.

 

 

| makeresults
| eval statename= "Selangor"
| eval mega="state"
| lookup type.csv mega as megas OUTPUT WP_Kuala_Lumpur_list, WP_Putrajaya_list, Johor_list, Kedah_list, Kelantan_list,
Melaka_list, Negeri_Sembilan_list, Pahang_list, Perak_list, Pulau_Pinang_list, Sabah_list, Sarawak_list, Selangor_list, Terengganu_list, Perlis_list
| eval res= case(statename= "Kuala Lumpur", WP_Kuala_Lumpur_list,
statename= "Putrajaya", WP_Putrajaya_list,
statename= "Johor", Johor_list,
statename= "Kedah", Kedah_list,
statename= "Kelantan", Kelantan_list,
statename= "Melaka", Melaka_list,
statename= "Negeri Sembilan", Negeri_Sembilan_list,
statename= "Pahang", Pahang_list,
statename= "Perak", Perak_list,
statename= "Pulau Pinang", Pulau_Pinang_list,
statename= "Sabah", Sabah_list,
statename= "Sarawak", Sarawak_list,
statename= "Selangor", Selangor_list,
statename= "Terengganu", Terengganu_list,
statename= "Perlis", Perlis_list)

| table res

 

 

 

In the lookup, Selangor_list has more than 60 rows. But, when I ran the query it just show me 33 rows.

then, I figure out if run the query with less OUTPUT it is able to show the correct data.

 

May I know any limitations on this?

 

Labels (1)
Labels
0 Karma
Reply

ashvinpandey
Contributor
‎09-21-2021 08:57 AM

@amzar96 
Basically the more fields you will specify in the output it will first match with the lookup field and your event field if they match then that output is shown else neglected.

Usage:

When using the lookup command, if an OUTPUT or OUTPUTNEW clause is not specified, all of the fields in the lookup table that are not the match field are used as output fields. If the OUTPUT clause is specified, the output lookup fields overwrite existing fields. If the OUTPUTNEW clause is specified, the lookup is not performed for events in which the output fields already exist.

https://docs.splunk.com/Documentation/SCS/current/SearchReference/lookupcommandexamples 

Also, If this reply helps you, an upvote would be appreciated.

 
 
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top