Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to return values from lookup which are not matching the search?

kavyadekkata
Explorer
‎06-11-2019 07:39 PM

Hi
I currently have a search which returns a list of users with employee id from a user lookup

eg: user lookup has the following information
syyyyyy
sxxxxxx
szzzzzz

My initial search returns syyyyy, sxxxxx but I want the search to return szzzzzz. But my below search is not returning any results

*index=idx_xxxxx sourcetype="cisco:xxx" svc | rename user as identity
| lookup local=true wfh_names_def identity OUTPUT identity, name
| search identity NOT
[| lookup local=true wfh_names_def identity OUTPUT identity, name] *

Could anyone please help

Thanks & Regards
Kavya Dekkata

0 Karma
Reply

denzelchung
Path Finder
‎06-11-2019 11:51 PM

Do the lookup first, then use join to combine your search results with the base lookup values.

For example,

| inputlookup host.csv | join type=left host [metadata type=hosts]

Doing an individual "| metadata type=hosts" search would give me host "A" and "B". In my csv file, I have "A", "B", "C", "D". Doing the above query would give me everything in my lookup file.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...