Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Add Rows from Lookup with no matches

Sivrat
Path Finder
‎03-08-2021 10:02 AM

I'm trying to use a lookup and some search results to display a table that includes both where something matched in the lookup, and where no matches were found in the lookup.

Sample search syntax would be:
[very long search, ends up in table with fieldA, fieldC]
| lookup MyLookup fieldA output fieldB
| chart values(fieldA) by fieldB, fieldC

This shows the values of field A, split by rows for the matching fieldB (pulled from lookup) and split by columns for fieldC.

I want to see all of the fieldB rows in the lookup added, even if there was no matching fieldA. Either blank or with a default value of 'None Found' or something in the chart results, since knowing something is 'missing' is important.

How can I do this? 

Labels (6)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-08-2021 08:04 PM

Hi @Sivrat,

Please try below;

[very long search, ends up in table with fieldA, fieldC]
| lookup MyLookup fieldA output fieldB
| inputlookup append=t MyLookup
| fillnull value="None Found" fieldB fieldC
| chart values(fieldA) by fieldB, fieldC
If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-08-2021 08:04 PM

Hi @Sivrat,

Please try below;

[very long search, ends up in table with fieldA, fieldC]
| lookup MyLookup fieldA output fieldB
| inputlookup append=t MyLookup
| fillnull value="None Found" fieldB fieldC
| chart values(fieldA) by fieldB, fieldC
If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Solved! Jump to solution

Sivrat
Path Finder
‎03-09-2021 06:27 AM

This worked after very slight adjustments.

[very long search, ends up in table with fieldA, fieldC]
| lookup MyLookup fieldA output fieldB
| inputlookup append=t MyLookup
| fillnull value="None" fieldC
| chart values(fieldA) by fieldB, fieldC
| fields - None

Since I actually didn't want all of the fieldA's from the original search, just all of them that matched in the lookup.
But the inputlookup and adding in fillnull allowed all of the fieldB to be present, and I just needed to remove the column that was the filler at the end. 

Thanks @scelikok 

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2021 12:42 PM

Have you tried fillnull?

Sample search syntax would be:
[very long search, ends up in table with fieldA, fieldC]
| lookup MyLookup fieldA output fieldB
| fillnull value="None Found" fieldB
| chart values(fieldA) by fieldB, fieldC
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Sivrat
Path Finder
‎03-08-2021 12:53 PM

Thanks for the response.

Fillnull covers cases where a row is present, but the column is blank. As long as one of the columns has value, it works since that means the row will be present

If there are rows in lookup that don't have any matches in the values returned by the search, then those won't get populated at all.

I'm now trying to surround the [very long search] with a join using combination of inputlookup and appendcols to try and build out the initial table, then join the rest with subsearch. But haven't quite gotten it working. Really hoping there is an easier way.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...