Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to bring non matching values into the same col...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ayush1906
Communicator
11-01-2019
07:15 AM
Hi ,
My current index when done table shows:
Name| Attendance | Class
abc | Present | 2A
efg | Present | 2A
And my lookup has the following details: (I can edit the values in this lookup)
Name Attendance Class
abc
efg
hig
And my expected output is
Name| Attendance | Class
abc | Present | 2A
efg | Present | 2A
hig | absent
When I am trying to do append, it actually brings names twice. Any advice?
This is just a sample representation, I have other columns as well.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-04-2019
09:45 PM
DO NOT USE join; try this:
Your first search here:
| inputlookup append=t YourLookupNameHere.csv
| stats first(Attendance) AS Attendance Values(Class) AS Class BY Name
| fillnull value="Absent" Attendance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
11-04-2019
09:45 PM
DO NOT USE join; try this:
Your first search here:
| inputlookup append=t YourLookupNameHere.csv
| stats first(Attendance) AS Attendance Values(Class) AS Class BY Name
| fillnull value="Absent" Attendance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ayush1906
Communicator
11-04-2019
10:16 PM
thanks 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to4kawa
Ultra Champion
11-01-2019
08:50 AM
your search
|table Name Attendance Class
|join Name type=outer [|inputlookup your_lookup]
|eval Attendance=if(Attendance!="",Attendance,"absent")
Hi, how about this?
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Observability Simplified: Combining User Experience, Application Performance & ...
Tech Talk
Observability Simplified: Combining User Experience, Application Performance & Network ...
Event Series May & June: From Network Visibility to Service Intelligence
Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI
In today’s hybrid ...
Global Splunk User Group Events: May + June 2026
Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide
Staying ahead in the fast-paced ...
